![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2025\/01\/OSX-Cuckoo-Mac-macOS-malware-logo-v4-600x300-1.jpg\"){kind=logo}
<\/p>\n<\/p>\n
Over the past couple years, we’ve written a lot about stealer malware that infects Macs<\/a>. One malware family that frequently resurfaces is Atomic Stealer<\/strong>, or AMOS<\/strong> (short for Atomic macOS Stealer). AMOS is designed to exfiltrate sensitive data from infected Macs; this typically includes things like saved passwords, cookies, autofill text, and cryptocurrency wallets. A sub-variant known as Cuckoo<\/strong> first appeared in May 2024.<\/p>\n Just like last year, Cuckoo has been spreading in January 2025 via elaborate campaigns, leveraging malicious but legitimate-looking Google Ads that redirect to lookalike homepages with Trojan downloads. Here’s everything you need to know about the latest Cuckoo variants, and how to stay protected.<\/p>\n In this article:<\/em><\/p>\n Atomic macOS Stealer (AMOS, or AtomicStealer) first surfaced<\/a> in late April 2023. At the time, a threat actor began selling it via Telegram as malware as a service<\/strong>, licensable for $1,000 per month. Since then, we’ve seen a plethora of AMOS variants<\/a> emerge.<\/p>\n Most often, AMOS malware is distributed through malicious Google Ads campaigns. These poisoned Google ads appear at the top of search results, where many people will see and click on them. In some cases, the ads are virtually indistinguishable from legitimate Google Ads run by the real software companies they mimic.<\/p>\n Some antivirus companies dubbed a particular sub-class of AMOS variants “Cuckoo.” Back in May 2024, we wrote about Cuckoo variants that were spreading via poisoned Google Ads that look like they redirect to the real Homebrew homepage, but in fact led to malware distribution sites.<\/p>\n On January 9, 2025, a malware researcher noted<\/a> that Homebrew was back with a new lookalike homepage.<\/p>\n Cuckoo is back with another fake homebrew website — Gr\u00e9goire Clermont (@gregclermont) January 9, 2025<\/a><\/p><\/blockquote>\n\n
A brief history of Cuckoo Mac malware<\/h3>\n
Yet another Cuckoo variant emerges<\/strong><\/h4>\n
\n
brewmacos[.]com
C2: 185.62.56[.]131@birchb0y<\/a> @AdamJKohler<\/a> @L0Psec<\/a> @IntegoSecurity<\/a><\/p>\n