Odyssey Stealer compromised in over 100 international locations, focusing on over 16 crypto pockets apps on macOS

  • Odyssey Stealer targets macOS customers in over 100 international locations.
  • The malware steals knowledge from over 16 desktop cryptocurrency wallets, together with Electrum, Exodus, and extra.
  • Attackers use faux Apple App Retailer pages and ClickFix strategies to trick victims.

A brand new wave of Odyssey Stealer malware is focusing on macOS customers in additional than 100 international locations, in keeping with safety researchers at Moonlock Lab. The newest model is constructed to steal passwords, browser knowledge, cryptocurrency wallets, cloud credentials, and developer recordsdata whereas sustaining long-term entry to contaminated gadgets.

Researchers stated the malware has developed past easy credential theft. As soon as put in, it may substitute the legit cryptocurrency pockets software with a modified model designed to seize pockets credentials and transaction info.

The marketing campaign primarily targets customers inquisitive about cryptocurrencies and finance via faux web sites that mimic trusted platforms and software program obtain pages.

Targets pockets, browser, and developer credentials

This malware steals login credentials, cookies, and autofill knowledge from main browsers together with Chrome, Courageous, Microsoft Edge, Vivaldi, Opera, Arc, Firefox, and Waterfox.

For cryptocurrency customers, Odyssey searches for pockets recordsdata from over 16 desktop pockets functions, together with Electrum, Exodus, Ledger Dwell, Trezor Suite, Bitcoin Core, Litecoin Core, Sprint Core, and Monero, whereas concurrently scanning almost 300 cryptocurrency browser extension IDs for pockets knowledge and personal keys.

Along with crypto property, the malware collects SSH keys, Apple keychain databases, Telegram and Discord knowledge, FileZilla credentials, system historical past, and configuration recordsdata for AWS, Google Cloud, Microsoft Azure, and Docker. It additionally makes an attempt to acquire the consumer’s native macOS password utilizing the built-in dscl authentication device.

In keeping with malware evaluation shared by Moonlock Lab, the contaminated system establishes communication with the first command and management (C2) server at 165(.)245.215.18, with rahtam(.)com appearing as a fallback and scubin(.)com delivering a second stage payload containing a Trojanized pockets software.

Pretend apps and ClickFix strategies facilitate infections

Safety researchers say Odyssey is often delivered via the ClickFix assault approach. Victims are redirected to faux web sites that carefully resemble the Apple App Retailer, crypto information platforms, and monetary companies.

These pages show a faux Cloudflare validation display that instructs macOS customers to repeat and paste instructions into Terminal. As a substitute of finishing validation checks, this command downloads and runs an AppleScript that installs malware.

This script creates a persistent LaunchDaemon service that permits Odyssey to outlive system reboots and constantly talk with attacker-controlled servers.

The malware additionally shows a faux password immediate to acquire the consumer’s macOS password. As soon as verified, it copies the keychain file, browser database, pockets file, and private paperwork, then compresses every part right into a ZIP archive and uploads it to the command server.

If the add fails, it would mechanically retry a number of occasions to make sure that the stolen knowledge is delivered. Researchers additionally discovered that the malware was stealing recordsdata reminiscent of TXT, PDF, DOCX, JPG, PNG, RTF, and KeePass database (.kdbx) recordsdata from the desktop and paperwork folders.

Operation of Malware-as-a-Service

Safety corporations SOC Prime and CYFIRMA describe Odyssey as a Malware-as-a-Service (MaaS) platform. Associates can lease entry to a central administration panel to trace contaminated gadgets, handle stolen credentials, construct custom-made malware variations, and recuperate hijacked browser periods utilizing stolen cookies.

Investigators linked a number of Odyssey management panels to infrastructure hosted primarily in Russia. Menace researchers consider that Odyssey is a rebranded model of Poseidon Stealer, which itself comes from the AMOS Stealer malware household.

The operation primarily targets customers in the USA and Europe, and primarily avoids victims within the Commonwealth of Impartial States (CIS) international locations. It is a widespread sample amongst Russian-speaking cybercrime teams.

Associated: Slowmist broadcasts 182 blockchain safety points within the first half of 2026

Disclaimer: The knowledge contained on this article is for informational and academic functions solely. This text doesn’t represent monetary recommendation or recommendation of any form. Coin Version isn’t liable for any losses incurred on account of the usage of the content material, merchandise, or companies talked about. We encourage our readers to do their due diligence earlier than taking any motion associated to our firm.