The Odyssey Stealer is a sophisticated macOS infostealer malware that has evolved significantly in its latest variant. This new version incorporates advanced techniques such as code signing and notarization, which allow it to bypass macOS security mechanisms and appear as legitimate software. The malware masquerades as a Google Meet updater, leveraging social engineering through a SwiftUI-based 'Technician Panel' interface to deceive victims into executing it. Once active, the stealer harvests a wide range of sensitive information including stored passwords, browser data, and cryptocurrency wallet contents. It deploys a second-stage payload that establishes persistence on the infected system and maintains communication with a command-and-control (C2) server. Key technical features include dynamic command execution enabling flexible attacker control, network tunneling capabilities that can facilitate covert data exfiltration or lateral movement, and self-termination mechanisms to evade detection and analysis. The malware also employs anti-analysis techniques to hinder reverse engineering and forensic investigation. Multiple samples have been found signed and notarized, indicating a deliberate effort by threat actors to evade macOS security protections and increase infection success rates. The campaign does not currently have known exploits in the wild but demonstrates a medium severity threat due to its data theft capabilities and persistence mechanisms.

For European organizations, the Odyssey Stealer poses a significant risk especially to those using macOS systems, which are increasingly common in sectors such as technology, finance, and creative industries. The theft of passwords and browser data can lead to credential compromise, enabling attackers to pivot into corporate networks or access sensitive cloud services. The targeting of cryptocurrency wallets is particularly relevant for fintech firms and individuals involved in digital asset management. The persistence and backdoor capabilities mean that once infected, systems may remain compromised for extended periods, facilitating ongoing espionage or data theft. The use of signed and notarized malware increases the likelihood of successful infection, potentially bypassing endpoint protections and user suspicion. Given the malware’s ability to tunnel network traffic, it could also be used to bypass network monitoring controls, complicating detection efforts. This threat could disrupt business operations, cause financial losses, and damage reputations if sensitive data is exfiltrated or accounts are hijacked.

European organizations should implement a layered defense strategy tailored to macOS environments. Specific recommendations include: 1) Enforce strict application whitelisting policies that verify both code signatures and notarization status, but also monitor for unusual notarized binaries especially those mimicking legitimate updaters. 2) Deploy endpoint detection and response (EDR) solutions with macOS support that can detect behavioral indicators such as dynamic command execution, network tunneling, and persistence mechanisms. 3) Educate users on the risks of social engineering, particularly regarding unexpected software updates or technician prompts, emphasizing verification through official channels. 4) Regularly audit and restrict access to sensitive data such as password stores and cryptocurrency wallets, employing multi-factor authentication and hardware security modules where possible. 5) Monitor network traffic for anomalies indicative of tunneling or C2 communications, including connections to suspicious domains like the identified "allteching.xyz". 6) Maintain up-to-date backups and incident response plans that include macOS-specific scenarios. 7) Consider implementing macOS security features such as System Integrity Protection (SIP) and Gatekeeper with strict settings to limit unauthorized code execution.