Fake Homebrew Pages Deliver Cuckoo Stealer via ClickFix | macOS Threat Hunting Analysis
Essential information
- Published
- 19/02/2026 15:26
- Modified
- 19/02/2026 18:13
- Tags
- 2026-02-19 c2 clickfix credential harvesting cryptocurrency cuckoo stealer homebrew infostealer macos persistence typosquatting
- Related entities
- 1 vulnerabilities (cve), 5 observables, 9 techniques (mitre), 1 malware, 8 others
Description
A sophisticated malware campaign targeting macOS users has been discovered, utilizing typosquatted domains impersonating the Homebrew package manager. The attack, dubbed ClickFix, exploits users' trust in command-line installation processes. Victims are tricked into executing malicious curl commands, leading to the deployment of a credential harvester and the Cuckoo Stealer malware. This infostealer establishes persistence through LaunchAgents, bypasses Gatekeeper, and employs encrypted C2 communication. It systematically exfiltrates sensitive data including browser credentials, cryptocurrency wallets, and system information. The campaign's infrastructure spans multiple domains hosted on shared IP addresses, indicating a coordinated and evolving threat.