top of page
OutSystems-business-transformation-with-gen-ai-ad-300x600.jpg
OutSystems-business-transformation-with-gen-ai-ad-728x90.jpg
TechNewsHub_Strip_v1.jpg

LATEST NEWS

Security researchers warn against Odyssey Infostealer targeting macOS users for crypto theft

  • Marijan Hassan - Tech Journalist
  • 18 hours ago
  • 3 min read

In yet another reminder, reminder that Apple hardware is no longer a safe haven from highly specialized cybercrime, security researchers have exposed a massive global campaign deploying the Odyssey Stealer malware. The sophisticated information-stealer has silently infiltrated macOS devices across more than 100 countries, explicitly weaponizing a targeted layout designed to raid session cookies, system keychains, and over 300 unique cryptocurrency browser extensions and desktop wallets.


Editorial credit: gguy / Shutterstock
Editorial credit: gguy / Shutterstock

The wide-reaching operation represents a major technical evolution in the macOS Malware-as-a-Service (MaaS) landscape. According to emerging threat telemetry from cybersecurity groups, Odyssey is a highly optimized rebrand of Poseidon Stealer, which itself was originally built as a custom fork of the infamous Atomic macOS Stealer (AMOS).


Developed by a prominent cybercriminal actor known under the alias "Rodrigo4," the upgraded Odyssey strain has been engineered specifically to bypass recent operating system security defenses


Weaponizing Human Trust via 'ClickFix' Lures

Rather than exploiting deep zero-day vulnerabilities in Apple’s underlying kernel code, the threat actors behind the campaign rely on a highly effective psychological social engineering technique known as ClickFix.


Victims are typically lured to compromised domains or typosquatted websites masquerading as legitimate financial hubs, cryptocurrency news aggregators, or fake blockades. The attack sequence unfolds through a highly calculated flow:

  • The Fake Blockade: The malicious page drops a realistic, fake dialogue box claiming the user needs to update their browser or verify they are human.

  • The Terminal Lure: The page instructs the victim to press Command + Space to open their native Terminal application, providing a prominent "Copy Code" button.

  • The Paste-and-Run Bypass: When the victim pastes the copied payload into Terminal, they unknowingly execute a heavily obfuscated Base64 command that completely circumvents Apple's native Gatekeeper security controls.


Once active in the background, the script drops a secondary, multi-layered AppleScript engine that immediately launches a fake system prompt to capture the user's administrative password, allowing the malware to seamlessly decrypt the local macOS Keychain database.


Raiding the Crypto Architecture

With administrative privileges secured, Odyssey acts as a precise digital vacuum. The malware generates a temporary staging directory on the local system and scans all installed browser profiles across Chrome, Brave, Microsoft Edge, Opera, and Firefox.


The primary target of this digital dragnet is the browser extension directory. Odyssey is pre-programmed to recognize and systematically copy the private keys, seed phrases, and credential storage paths of over 300 decentralized crypto wallet extensions, including industry standards like MetaMask, Coinbase Wallet, and Phantom.


Concurrently, the malware sweeps through local desktop directories to steal data from standalone wallet applications like Electrum, Exodus, and Coinomi, while deploying trojanized clones of hardware companion apps like Ledger Live to intercept ongoing live transactions.


A Geopolitically Focused Quarantine

Once the data harvesting loop concludes, Odyssey packages the collected keychains, browser cookies, autofill text fields, and wallet databases into a compressed archive. The malware then utilizes macOS’s native communication utilities to quietly exfiltrate the stolen bounty back to an external command-and-control (C2) server monitored by the primary attackers.


A granular code analysis reveals a definitive geopolitical strategy guiding the campaign's deployment. The telemetry logs indicate that Odyssey’s distribution networks focus heavily on targeting individual developers, security specialists, and high-value cryptocurrency investors situated across Western markets, specifically the United States and the European Union.


Conversely, the malware’s internal configuration contains strict exclusion zones that automatically terminate execution if the host system’s regional parameters or IP addresses are linked to CIS (Commonwealth of Independent States) nations, matching behavioral patterns widely associated with Eastern European cybercriminal syndicates.

wasabi.png
Gamma_300x600.jpg
paypal.png
bottom of page