Intego discovers new “Cuckoo” Mac malware mimicking Homebrew

Posted on by

In recent months, we’ve written a lot about stealer malware that infects Macs. One malware family that frequently resurfaces is Atomic Stealer, or AMOS (short for Atomic macOS Stealer). AMOS is designed to exfiltrate sensitive data from infected Macs; this typically includes things like saved passwords, cookies, autofill text, and cryptocurrency wallets. Recent headlines have used the malware or campaign name “Cuckoo” to describe some variants of the AMOS family.

Cuckoo malware, like other AMOS variants, is distributed in the form of Trojan horses, often masquerading as supposedly pirated or “cracked” versions of apps. In recent months, numerous Trojan horses have pretend to be various legitimate apps; they employ elaborate campaigns, leveraging malicious Google Ads that link to lookalike homepages with Trojan downloads.

Yesterday, Intego began tracking new Cuckoo variants that have not been written about elsewhere. Here’s everything you need to know about Cuckoo, and how to stay protected.

In this article:

A brief history of Cuckoo Mac malware

Atomic macOS Stealer (AMOS, or AtomicStealer) first surfaced in late April 2023, just over a year ago. At the time, a threat actor began selling it via Telegram as malware as a service, licensable for $1,000 per month.

Since then, we’ve seen lots of AMOS variants emerge. We wrote about later campaigns in September 2023 and February 2024, and we often discuss it on the Intego Mac Podcast.

Earlier this month, we wrote about a previously undocumented AMOS variant that Intego’s research team discovered.

Most often, AMOS malware is distributed through malicious Google Ads campaigns. These poisoned Google ads appear at the top of search results, where many people will see and click on them. In some cases, the ads are virtually indistinguishable from legitimate Google Ads run by the real software companies they mimic.

Beginning a few weeks ago, in late April, a few antivirus vendors began calling some AMOS variants by the name Cuckoo.

A new Cuckoo variant emerges

Just yesterday, on the morning of Wednesday, May 15, a researcher named Alden wrote on social media about a blog post he had just published. Alden described this new campaign as distributing “Cuckoo and AtomicStealer.”

In his blog post, Alden wrote that someone had submitted a file to VirusTotal that contacted a suspicious domain that mimics the homepage of Homebrew, a popular macOS software package manager. The page tries to trick users into copying and pasting a command from the site into their Mac’s Terminal app.

While that might sound ridiculously suspicious and dangerous—and it normally would be—the legitimate Homebrew software is actually installed in this exact way. The lookalike page was so convincing that Alden himself, a professional malware researcher, said he would have fallen for it.

A fake Homebrew homepage, part of an AMOS/Cuckoo Mac malware campaign.

A fake Homebrew site, part of an AMOS/Cuckoo Mac malware campaign.

Compare for yourself. Would you have guessed correctly which is real, and which is fake?

The real Homebrew site. Ironically, it has a longer, more suspicious-looking install URL.

The real Homebrew site. Ironically, it has a longer, more suspicious-looking install URL.

Interestingly, this is not the first time that malware makers have mimicked Homebrew. In 2020, threat actors used another domain that was similar to that of the real Homebrew site, as part of a typosquatting campaign. Additionally, back in 2017, Mac malware known as Dok used “homebrew” in the filename of one of its LaunchAgents.

Intego discovers new Cuckoo variants

While conducting our own research based on Alden’s findings, Intego discovered that the shell script dropper and the initial Mach-O binary had both changed already from what were originally hosted on the lookalike site, merely hours after Alden’s social media post went live.

The new version of the bash script (the file) only had a minor, insignificant change, possibly to evade rudimentary antivirus protection based on whole-file hashes. The SHA-256 hash for the new variant is 1ea41635116b43afd1e50ed9dec1534699fb1958bd777971dd0fb7bc0ed104ec.

But where things get interesting is the Mach-O binary (the brewinstaller file) distributed through the site.

Of course, it still has the usual infostealer functionality: gathering wallets, passwords, and other sensitive data, and exfiltrating them to the malware maker. But what’s new in the updated sample we discovered is that it adds additional functionality to behave differently if it’s run within a virtual machine. In particular, it checks whether it’s running within a VirtualBox, VMware, or Parallels virtual environment. Most of the time, when an app contains VM detection, it’s to make the app more difficult for reverse engineers or malware analysts to investigate.

One can imagine that perhaps the malware maker might have seen Alden’s blog post, and added the anti-VM capability to make it a little more difficult for malware analysts to pick apart.

This new Cuckoo Mach-O variant that checks whether it’s running within a VM has the SHA-256 hash 513bb09807c9c343fccf7df30f687ea490125745e5ae02177c92efeb514e4b30.

Intego also found several additional new Cuckoo samples through our own threat hunting efforts; see the full list of new hashes in the IOCs section below.

Source of these new Cuckoo infections

Although we haven’t yet definitively confirmed this, it’s likely that the team behind this campaign is up to its usual tricks, including Google Ads poisoning. Threat actors often pay Google for top placement, with sponsored ads disguised as real ads for legitimate software. These ads appear immediately above the actual search results; if you aren’t careful, you could inadvertently visit a malware distribution site instead of landing on the real software developer’s site.

We recommend that everyone get out of the habit of “just Google it” to find legitimate sites. Such habits often include clicking on the first link without giving it much thought, under the assumption that Google won’t lead them astray, and will give them the correct result right at the top. Malware makers know this, of course, and that’s why they’re paying Google for the number-one position.

Until or unless Google does a much better job of vetting its ads, a better practice than “Google it” would be to bookmark trusted sites whenever possible, and to go back to those bookmarks in the future.

How can I keep my Mac safe from Cuckoo and other malware?

If you use Intego VirusBarrier, you’re already protected from this malware. Intego detects these samples as OSX/Amos.ext, OSX/Amos.genOSX/PSW.ext, virus/OSX/AVA.Agent.qtqz, virus/OSX/AVI.Agent.emto, and similar names.

Intego X9 software boxesIntego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, is a powerful solution designed to protect against, detect, and eliminate Mac malware.

If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It runs natively on both Intel- and Apple silicon-based Macs, and it’s compatible with Apple’s current Mac operating system, macOS Sonoma.

One of VirusBarrier’s unique features is that it can scan for malicious files on an iPhone, iPad, or iPod touch in user-accessible areas of the device. To get started, just attach your iOS or iPadOS device to your Mac via a USB cable and open VirusBarrier.

If you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from malware.

Indicators of compromise (IOCs)

As is typical, some of these samples initially had a very low detection rate on the multi-engine single file scanning site VirusTotal. For the two shell script variants, 0 out of 60+ antivirus engines appeared to detect them. Several other files had fewer than 10 positive detections when first uploaded to VirusTotal.

Following are SHA-256 hashes of malware samples from Homebrew-related and other Cuckoo/AMOS malware campaigns:

* first reported by Intego
**first reported by Intego; added on May 17

The following domains and IP addresses have evidently been used in connection with these Cuckoo/AMOS samples and similar recent campaigns:


Network administrators can check logs to try to identify whether any computers may have attempted to contact one of these domains or IPs in recent weeks, which could indicate a possible infection.

Do security vendors detect this by any other names?

Other antivirus vendors’ names for this malware may include variations of the following:

A Variant Of OSX/PSW.Agent.AN, A Variant Of OSX/PSW.Agent.BI, EmailWorm ( 0040f4c31 ), Gen:Variant.Trojan.MAC.Stealer.29 (B), HEUR:Trojan-PSW.OSX.Amos.gen, HEUR:Trojan-PSW.OSX.Amos.s, HEUR:Trojan-PSW.OSX.Amos.u, InfoStealer/OSX.Agent.160526166, InfoStealer/OSX.Agent.174240, InfoStealer/OSX.Agent.370704, IOS/Agent.AQ, IOS/Agent5.CW, MAC.S.Agent.160526166, MAC/Agent.BI!tr, MAC/Stealer.20!tr, MacOS:Agent-AJQ [Trj], MacOS:Agent-AJR [Trj], MacOS:Agent-ALY [Trj], MacOS/Agent.AQ, MacOS/Agent5.CW, Malware.OSX/AVA.Agent.gours, Malware.OSX/AVA.Agent.qtqzz, Malware.OSX/AVI.Agent.emtoe, Malware.OSX/GM.Agent.LC, Malware.OSX/GM.Agent.RX, Osx.Trojan-QQPass.QQRob.Fkjl, OSX.Trojan.Agent.K8KYBW, OSX.Trojan.Agent.V7M1LN, OSX.Trojan.Agent.Y7B81N, OSX.Trojan.Gen.2, OSX/Agent.BI!tr.pws, OSX/Generic.e, OSX/GM.Agent.LC, OSX/GM.Agent.RX, OSX/PSW.Agent.BI, OSX/PWS-CNU, OSX/PWS-CNV, PossibleThreat, RiskWare:MacOS/Agent.AT, RiskWare:MacOS/Amos.J9OKG, TROJ_FRS.0NA104E724, Trojan:MacOS/Amos.I!MTB, Trojan:MacOS/Cuckoo!MTB, Trojan:MacOS/Multiverze, Trojan.Generic.35766692 (B), Trojan.GenericKD.72696158 (B), Trojan.MAC.Generic.118846 (B), Trojan.OSX.Amos.i!c, Trojan.OSX.Cuckoo, Trojan.OSX.Generic.4!c, Trojan.OSX.Psw, Trojan.OSX.Stealer, Trojan.Trojan.MAC.Stealer.29, Trojan[PSW]/MacOS.Amos, Trojan[stealer]:MacOS/Amos.gyf, Trojan[stealer]:MacOS/Amos.J9OKG, Trojan[stealer]:MacOS/Amos.s, Trojan[stealer]:MacOS/Amos.u, UDS:Trojan-PSW.OSX.Amos.s, Unix.Malware.Macos-10028017-0, Unix.Malware.Macos-10028612-0, Unix.Malware.Macos-10028816-0, Win32.Troj.Undef.a

How can I learn more?

You can read Alden’s X social media thread and personal blog post for more about the original variant of the Homebrew-lookalike Trojan horse. For more about the first AMOS malware variant that was identified as Cuckoo, you can read the writeup by Adam Kohler and Christopher Lopez.

Be sure to also check out our 2024 Apple malware forecast and our previous Mac malware articles from 2024 and earlier.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on X/Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →