{"id":2843,"date":"2026-05-01T20:04:32","date_gmt":"2026-05-01T20:04:32","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/01\/malicious-ad-for-homebrew-leads-to-macsync-stealer-fri-may-1st\/"},"modified":"2026-05-01T20:04:32","modified_gmt":"2026-05-01T20:04:32","slug":"malicious-ad-for-homebrew-leads-to-macsync-stealer-fri-may-1st","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/01\/malicious-ad-for-homebrew-leads-to-macsync-stealer-fri-may-1st\/","title":{"rendered":"Malicious Ad for Homebrew Leads to MacSync Stealer, (Fri, May 1st)"},"content":{"rendered":"
\n

Introduction<\/strong><\/em><\/p>\n

As macbooks and mac minis become more popular, we’re seeing more campaigns targeting these macOS hosts. Malicious ads have popped up in search results that can lead potential victims to pages that present themselves as legitimate malware but instead are malware. This diary presents one such example from a malicious ad for a page that impersonates Homebrew we saw on Thursday, 2026-04-30.<\/p>\n

Homebrew is a third-party package manager for macOS, and this page pushes MacSync Stealer malware. As I write this today (2026-05-01), the fake Homebrew page at\u00a0hxxps[:]\/\/sites.google[.]com\/view\/brewpage<\/span> is still active.<\/p>\n

Images<\/strong><\/em><\/p>\n

\"\"<\/a>
\nShown above: Malicious ad in search results leading to fake Homebrew page.<\/em><\/p>\n

\"\"<\/a>
\nShown above: Information about the advertiser for the malicious ad.<\/em><\/p>\n

\"\"<\/a>
\nShown above: Fake Homebrew page with script to copy\/paste for potential victims to download malware.<\/em><\/p>\n

\"\"<\/a>
\nShown above: Script from fake Homebrew page pasted to a terminal window on a macOS host.<\/em><\/p>\n

\"\"<\/a>
\nShown above: After running the script, this popup appears, and it collects the victim’s password.<\/em><\/p>\n

\"\"<\/a>
\nShown above: After running the entering the password, this popup appears for the Terminal app to access the Finder app in macOS.<\/em><\/p>\n

\"\"<\/a>
\nShown above: This is the final popup that appears after running the script.<\/em><\/p>\n

\"\"<\/a>
\nShown above: During the infection, MacSync Stealer collects information from the host, temporarily saves it to \/tmp\/osalogging.zip<\/span> and sends that file to the C2 server.<\/em><\/p>\n

\"\"<\/a>
\nShown above: Traffic from the infection filtered in Wireshark.<\/em><\/p>\n

\"\"<\/a>
\nShown above: Traffic from the infected host sending the\u00a0\/tmp\/osalogging.zip<\/span> file to the C2 server.<\/em><\/p>\n

Indicators of Compromise<\/strong><\/em><\/p>\n

Example of URL from malicious ad:<\/p>\n

hxxps[:]\/\/www.google[.]com\/aclk?sa=L&
\nai=DChsSEwi24vK_v5aUAxXZS38AHRAFIWAYACICCAIQABoCb2E&
\nco=1&
\ngclid=EAIaIQobChMItuLyv7-WlAMV2Ut_AB0QBSFgEAMYASAAEgKrq_D_BwE&
\ncid=CAASugHkaEZtQvhFJBWvSVo_oMtlq6lKBxptjJBacaXOdzM28vxFNm3V2vrefacF48NMD0YvBIV9PCmn_d6X0uiMYDt5bwJYXaT6Lt7Mf3F-Mc3OK-0ugNt4GfcvQ0lOKkP1Sf8WVDXTMPeVMsHE8qxoG43Ta5BRER_Sre0RfChP39oVqtwRkowlKUUojM12uBAYWvejqokVOa_j7-uGyN1XrQ1ae6Tfaijfc9OvMC9QKQovm7p0DBitWtBJ_d4&
\ncce=1&
\nsig=AOD64_2EqeARnVjOoYvCwtJyl1AsolQe7g&q&<\/span>
\nadurl&
\nved=2ahUKEwjyq-2_v5aUAxU3g2oFHc28JOUQ0Qx6BAhnEAE<\/span><\/p>\n

Example of fake Homebrew site URL:<\/p>\n

hxxps[:]\/\/sites.google[.]com\/view\/brewpage?gad_source=1&
\ngad_campaignid=23806351087&
\ngbraid=0AAAAACJ6-Kb3hWjjAWCyYLIj0YO5oQvtp&
\ngclid=EAIaIQobChMItuLyv7-WlAMV2Ut_AB0QBSFgEAMYASAAEgKrq_D_BwE<\/span><\/p>\n

Domain used by C2 server for the MacSync infection:<\/p>\n

glowmedaesthetics[.]com<\/span><\/p>\n

Files from the infection:<\/p>\n

SHA256 hash: a4fcfecc5ac8fa57614b23928a0e9b7aa4f4a3b2b3a8c1772487b46277125571<\/span><\/a><\/p>\n