Hackers Weaponize Fake Microsoft Teams Site to Deploy Odyssey macOS Stealer

A sophisticated cyber campaign is targeting macOS users by distributing the potent “Odyssey” information stealer through a deceptive website impersonating the official Microsoft Teams download page.

The attack, identified by researchers at CloudSEK’s TRIAD, leverages a social engineering technique known as a “Clickfix” attack to trick victims into executing malicious code that systematically harvests sensitive data, establishes long-term persistence, and even replaces legitimate cryptocurrency applications with trojanized versions.

This campaign represents a tactical evolution from a similar attack reported by Forcepoint in early August 2025, where threat actors used a fake TradingView site to deliver the same malware.

By shifting their lure to a trusted enterprise application like Microsoft Teams, the attackers are widening their net to ensnare a broader range of victims.

The attack begins when a user lands on a fraudulent webpage designed to look like a Microsoft security verification page for Teams. The page instructs the user to resolve a supposed “Unusual Web Traffic” issue by copying a command and pasting it into their macOS Terminal.

While the page displays a seemingly harmless command, the “Copy” button actually places a malicious, base64-encoded AppleScript payload onto the user’s clipboard. When an unsuspecting user executes this command, they unwittingly launch the Odyssey stealer.

Odyssey’s Malicious Payload

Once active, the malware initiates a multi-stage process to compromise the system thoroughly:

1. Credential Theft: The script first attempts to gain the user’s password by presenting a fake dialog box that reads, “Required Application Helper. Please enter device password to continue.” It relentlessly prompts the user until the correct password is provided. This password is then used to access and steal the macOS login keychain and the Chrome browser’s keychain.
2. Widespread Data Collection: Odyssey conducts a comprehensive sweep of the infected machine, collecting a vast array of personal and financial information. This includes:
   • Apple Ecosystem: It extracts the entire Apple Notes database, including attachments, along with Safari browser data like cookies and saved form values.
   • Browser Artifacts: The malware targets Chromium-based browsers (Chrome, Edge, Brave, Opera) and Firefox-based browsers, stealing cookies, web data, and saved logins. It also specifically hunts for data from a long list of browser extensions, focusing on password managers and crypto wallets like MetaMask.
   • Cryptocurrency Wallets: It recursively copies data from numerous desktop cryptocurrency wallets, including Electrum, Exodus, Atomic, Wasabi, Ledger Live, and Trezor Suite.
   • Personal Files: The stealer searches the user’s Desktop and Documents folders for files with extensions like .txt, .pdf, .doc, .wallet, and .key, bundling up to 10MB of these files for exfiltration.
3. Exfiltration: All harvested data is compressed into a single archive file named out.zip in a temporary directory. This file is then sent to a command-and-control (C2) server located at the IP address 185.93.89.62. The same server hosts the login panel for the Odyssey stealer toolkit.

4. Persistence and Tampering: To ensure long-term access, Odyssey creates a LaunchDaemon, a service that runs automatically at startup. Using the previously stolen password for administrator privileges, it installs this backdoor. In a particularly brazen move, the malware kills the legitimate Ledger Live application process, deletes the app, and replaces it with a trojanized version downloaded from the C2 server, giving attackers direct control over the user’s crypto hardware wallet interactions.

Mitigations

The consequences for victims are severe, ranging from credential theft and data breaches to significant financial losses from compromised cryptocurrency wallets. The persistence mechanism means that even after a one-time data theft, the system remains compromised and vulnerable to further attacks.

To defend against this threat, security experts recommend the following measures:

• Network Monitoring: Block traffic to the known C2 IP address (185.93.89[.]62) and monitor for unusual outbound POST requests containing large zip files.
• Endpoint Security: Regularly audit /Library/LaunchDaemons/ for suspicious files and look for recent, unexpected osascript executions.
• User Vigilance: Exercise extreme caution when websites request that you run commands in the Terminal. Verify the authenticity of download pages before proceeding.
• Incident Response: If an infection is suspected, immediately reset all critical passwords (Apple ID, email, banking, crypto wallets) from a clean system. Remove the trojanized Ledger Live application and consider a full system wipe and rebuild to ensure complete removal of the malware.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.