Odyssey Stealer Malware Attacks macOS Users
A phishing campaign targeting macOS users employs a ClickFix technique to deliver the Odyssey Stealer malware. The attack uses a fake CAPTCHA verification page that executes without dropping a binary on the system. When users follow the instructions, they unknowingly execute a malicious AppleScript that collects sensitive data, including crypto wallet information, browser extensions, cookies, saved keychains, usernames, and passwords. The script creates a ZIP archive of the stolen data and exfiltrates it to a command and control server. This sophisticated attack blends phishing and social engineering to bypass traditional detection methods, making it challenging to detect and analyze.
AI Analysis
Technical Summary
The Odyssey Stealer malware campaign targets macOS users through a sophisticated phishing attack leveraging a ClickFix technique. Instead of deploying a traditional binary, the attack uses a fake CAPTCHA verification page designed to trick users into executing a malicious AppleScript. This script stealthily collects a wide range of sensitive data from the victim's system, including cryptocurrency wallet information, browser extensions, cookies, saved keychains, usernames, and passwords. The stolen data is then compressed into a ZIP archive and exfiltrated to a command and control server controlled by the attackers. The use of AppleScript allows the malware to bypass many traditional detection mechanisms since it does not drop a conventional executable file. The attack blends social engineering with technical evasion techniques, making it challenging to detect and analyze. Indicators of compromise include specific file hashes, IP addresses (45.146.130.131 and 45.46.130.131), and the domain tradingviewen.com, which are linked to the command and control infrastructure. The campaign is tagged with multiple MITRE ATT&CK techniques such as T1056.001 (Input Capture: Keylogging), T1074.001 (Data Staged: Local Data Staging), T1553.001 (Subvert Trust Controls: Code Signing), T1530 (Data from Cloud Storage), T1059.002 (Command and Scripting Interpreter: AppleScript), T1005 (Data from Local System), T1555 (Credentials from Password Stores), T1555.003 (Credentials from Keychain), T1217 (Browser Bookmark Discovery), T1204 (User Execution), T1566 (Phishing), T1027 (Obfuscated Files or Information), T1570 (Exfiltration Over Web Service), T1070.004 (Indicator Removal on Host: File Deletion), and T1071.001 (Application Layer Protocol: Web Protocols). No known exploits in the wild or specific threat actors have been identified yet, but the campaign's medium severity rating reflects its potential impact and sophistication.
Potential Impact
European organizations with macOS users are at risk of credential theft, loss of sensitive personal and corporate information, and compromise of cryptocurrency wallets. The theft of saved keychains and browser credentials can lead to further lateral movement within corporate networks, unauthorized access to cloud services, and financial fraud. The stealthy nature of the attack, which avoids dropping binaries, complicates detection and response efforts, increasing the risk of prolonged undetected breaches. Organizations involved in finance, cryptocurrency trading, and those with remote macOS users are particularly vulnerable. The campaign's use of social engineering increases the likelihood of successful compromise, potentially leading to data breaches, reputational damage, and regulatory penalties under GDPR if personal data is exposed.
Mitigation Recommendations
1. Implement advanced email filtering and phishing detection solutions tailored to identify social engineering and phishing campaigns targeting macOS users. 2. Educate macOS users about the risks of executing scripts or following instructions on suspicious CAPTCHA or verification pages, emphasizing caution with unexpected prompts. 3. Enforce strict execution policies on macOS endpoints to restrict or monitor AppleScript execution, including the use of Endpoint Detection and Response (EDR) tools capable of detecting suspicious scripting activity. 4. Regularly audit and limit access to sensitive data such as keychains and crypto wallets, employing multi-factor authentication (MFA) and hardware security modules (HSM) where possible. 5. Monitor network traffic for unusual data exfiltration patterns, particularly connections to known malicious IPs and domains like those identified in this campaign. 6. Deploy application whitelisting and behavioral analytics to detect obfuscated or anomalous script execution. 7. Maintain up-to-date backups and incident response plans specifically addressing macOS threats. 8. Collaborate with threat intelligence providers to stay informed about emerging indicators and tactics related to Odyssey Stealer and similar threats.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Switzerland
Indicators of Compromise
- hash: 43917e7dab6e09087de24f7878b9c1c1a7ec1968
- ip: 45.146.130.131
- ip: 45.46.130.131
- domain: tradingviewen.com
Odyssey Stealer Malware Attacks macOS Users
Description
A phishing campaign targeting macOS users employs a ClickFix technique to deliver the Odyssey Stealer malware. The attack uses a fake CAPTCHA verification page that executes without dropping a binary on the system. When users follow the instructions, they unknowingly execute a malicious AppleScript that collects sensitive data, including crypto wallet information, browser extensions, cookies, saved keychains, usernames, and passwords. The script creates a ZIP archive of the stolen data and exfiltrates it to a command and control server. This sophisticated attack blends phishing and social engineering to bypass traditional detection methods, making it challenging to detect and analyze.
AI-Powered Analysis
Technical Analysis
The Odyssey Stealer malware campaign targets macOS users through a sophisticated phishing attack leveraging a ClickFix technique. Instead of deploying a traditional binary, the attack uses a fake CAPTCHA verification page designed to trick users into executing a malicious AppleScript. This script stealthily collects a wide range of sensitive data from the victim's system, including cryptocurrency wallet information, browser extensions, cookies, saved keychains, usernames, and passwords. The stolen data is then compressed into a ZIP archive and exfiltrated to a command and control server controlled by the attackers. The use of AppleScript allows the malware to bypass many traditional detection mechanisms since it does not drop a conventional executable file. The attack blends social engineering with technical evasion techniques, making it challenging to detect and analyze. Indicators of compromise include specific file hashes, IP addresses (45.146.130.131 and 45.46.130.131), and the domain tradingviewen.com, which are linked to the command and control infrastructure. The campaign is tagged with multiple MITRE ATT&CK techniques such as T1056.001 (Input Capture: Keylogging), T1074.001 (Data Staged: Local Data Staging), T1553.001 (Subvert Trust Controls: Code Signing), T1530 (Data from Cloud Storage), T1059.002 (Command and Scripting Interpreter: AppleScript), T1005 (Data from Local System), T1555 (Credentials from Password Stores), T1555.003 (Credentials from Keychain), T1217 (Browser Bookmark Discovery), T1204 (User Execution), T1566 (Phishing), T1027 (Obfuscated Files or Information), T1570 (Exfiltration Over Web Service), T1070.004 (Indicator Removal on Host: File Deletion), and T1071.001 (Application Layer Protocol: Web Protocols). No known exploits in the wild or specific threat actors have been identified yet, but the campaign's medium severity rating reflects its potential impact and sophistication.
Potential Impact
European organizations with macOS users are at risk of credential theft, loss of sensitive personal and corporate information, and compromise of cryptocurrency wallets. The theft of saved keychains and browser credentials can lead to further lateral movement within corporate networks, unauthorized access to cloud services, and financial fraud. The stealthy nature of the attack, which avoids dropping binaries, complicates detection and response efforts, increasing the risk of prolonged undetected breaches. Organizations involved in finance, cryptocurrency trading, and those with remote macOS users are particularly vulnerable. The campaign's use of social engineering increases the likelihood of successful compromise, potentially leading to data breaches, reputational damage, and regulatory penalties under GDPR if personal data is exposed.
Mitigation Recommendations
1. Implement advanced email filtering and phishing detection solutions tailored to identify social engineering and phishing campaigns targeting macOS users. 2. Educate macOS users about the risks of executing scripts or following instructions on suspicious CAPTCHA or verification pages, emphasizing caution with unexpected prompts. 3. Enforce strict execution policies on macOS endpoints to restrict or monitor AppleScript execution, including the use of Endpoint Detection and Response (EDR) tools capable of detecting suspicious scripting activity. 4. Regularly audit and limit access to sensitive data such as keychains and crypto wallets, employing multi-factor authentication (MFA) and hardware security modules (HSM) where possible. 5. Monitor network traffic for unusual data exfiltration patterns, particularly connections to known malicious IPs and domains like those identified in this campaign. 6. Deploy application whitelisting and behavioral analytics to detect obfuscated or anomalous script execution. 7. Maintain up-to-date backups and incident response plans specifically addressing macOS threats. 8. Collaborate with threat intelligence providers to stay informed about emerging indicators and tactics related to Odyssey Stealer and similar threats.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.forcepoint.com/blog/x-labs/odyssey-stealer-attacks-macos-users"]
- Adversary
- null
- Pulse Id
- 68951749fda95619a21de94a
- Threat Score
- null
Indicators of Compromise
Hash
Value | Description | Copy |
---|---|---|
hash43917e7dab6e09087de24f7878b9c1c1a7ec1968 | — |
Ip
Value | Description | Copy |
---|---|---|
ip45.146.130.131 | — | |
ip45.46.130.131 | — |
Domain
Value | Description | Copy |
---|---|---|
domaintradingviewen.com | — |
Threat ID: 68951b7cad5a09ad00fd30de
Added to database: 8/7/2025, 9:32:44 PM
Last enriched: 8/7/2025, 9:47:58 PM
Last updated: 8/16/2025, 7:53:16 AM
Views: 12
Related Threats
“Vibe Hacking”: Abusing Developer Trust in Cursor and VS Code Remote Development
MediumSupply Chain Risk in Python: Termcolor and Colorama Explained
MediumMicrosoft 365 Direct Send Abuse: Phishing Risks & Security Recommendations
MediumThreat Actor Claims to Sell 15.8 Million Plain-Text PayPal Credentials
MediumElastic EDR 0-day: Microsoft-signed driver can be weaponized to attack its own host
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.