A significant surge in Odyssey Stealer activity is currently targeting macOS users across multiple continents, with recent telemetry data revealing a dramatic geographic expansion of this sophisticated information-stealing campaign.
Security researchers have observed newly updated malware samples spreading rapidly beyond their initial focus areas, now affecting users in the United Kingdom, Germany, Italy, Canada, Brazil, India, and multiple countries across Africa and Asia, in addition to the United States, France, and Spain, where activity was first detected.
The malware primarily targets users in Western countries while conspicuously avoiding victims in CIS nations, a characteristic pattern often associated with Russian-aligned cybercriminal groups.
Odyssey Stealer addressed the latest evolution in macOS-targeting malware, emerging as a rebranded version of Poseidon Stealer which itself originated as a fork of the AMOS Stealer.
Following the sale of Poseidon Stealer in fall 2024, its developer “Rodrigo4” relaunched the operation under the Odyssey name with significantly enhanced capabilities designed to evade detection and ensure persistence on compromised systems.
Distribution Methods
Threat actors deploy Odyssey Stealer through sophisticated social engineering tactics, most notably using fake CAPTCHA verification pages that employ the “ClickFix” technique.
When victims visit compromised websites impersonating legitimate software downloads like Microsoft Teams, Homebrew, or Ledger Live, they encounter fake CAPTCHA pages that check the operating system before presenting malicious instructions.
Once executed, Odyssey Stealer performs comprehensive data theft across multiple categories.
The malware harvests cryptocurrency wallet data from platforms including Tron, Electrum, and Binance, extracts browser credentials, cookies, and login information from Chrome, Firefox, and Safari, and targets over 100 browser extensions.
It also steals macOS Keychain passwords, payment information, browsing history, autofill data, and files from Desktop and Documents folders with extensions including .txt, .pdf, .docx, .jpg, .png, .rtf, and .kdbx.
Persistence and Exfiltration
The malware establishes persistence through LaunchDaemons with randomly generated names such as com.{random}.plist, ensuring it survives system reboots.
The attack prompts users to copy and execute base64-encoded commands in their terminal, which decode and run malicious AppleScript that installs the stealer without dropping traditional binary files.
Advanced variants include a SwiftUI-based “Technician Panel” that uses social engineering to trick users into providing passwords under the guise of tech support.
Stolen data is compressed into a file named “out.zip” within a temporary directory, then exfiltrated to command-and-control servers via curl POST requests.
If the initial upload fails, the malware silently retries up to 10 times with 60-second delays between attempts, ensuring persistent delivery even if the connection is temporarily blocked.
After successful exfiltration, the script removes temporary directories and zip files to eliminate traces of activity, making forensic analysis difficult.
The Odyssey operation features a sophisticated control panel that allows threat actors to view infected devices with details like IP addresses and online status, store stolen passwords, cookies, and cryptocurrency wallets in organized logs, and create custom malware versions for different targets using a builder function.
Some infrastructure has been identified, including C2 IP addresses such as 45.46.130[.]131, which hosts the Odyssey Stealer login panel for attackers to access harvested data.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.