The Odyssey Stealer malware campaign targets macOS users through a sophisticated phishing attack leveraging a ClickFix technique. Instead of deploying a traditional binary, the attack uses a fake CAPTCHA verification page designed to trick users into executing a malicious AppleScript. This script stealthily collects a wide range of sensitive data from the victim's system, including cryptocurrency wallet information, browser extensions, cookies, saved keychains, usernames, and passwords. The stolen data is then compressed into a ZIP archive and exfiltrated to a command and control server controlled by the attackers. The use of AppleScript allows the malware to bypass many traditional detection mechanisms since it does not drop a conventional executable file. The attack blends social engineering with technical evasion techniques, making it challenging to detect and analyze. Indicators of compromise include specific file hashes, IP addresses (45.146.130.131 and 45.46.130.131), and the domain tradingviewen.com, which are linked to the command and control infrastructure. The campaign is tagged with multiple MITRE ATT&CK techniques such as T1056.001 (Input Capture: Keylogging), T1074.001 (Data Staged: Local Data Staging), T1553.001 (Subvert Trust Controls: Code Signing), T1530 (Data from Cloud Storage), T1059.002 (Command and Scripting Interpreter: AppleScript), T1005 (Data from Local System), T1555 (Credentials from Password Stores), T1555.003 (Credentials from Keychain), T1217 (Browser Bookmark Discovery), T1204 (User Execution), T1566 (Phishing), T1027 (Obfuscated Files or Information), T1570 (Exfiltration Over Web Service), T1070.004 (Indicator Removal on Host: File Deletion), and T1071.001 (Application Layer Protocol: Web Protocols). No known exploits in the wild or specific threat actors have been identified yet, but the campaign's medium severity rating reflects its potential impact and sophistication.

European organizations with macOS users are at risk of credential theft, loss of sensitive personal and corporate information, and compromise of cryptocurrency wallets. The theft of saved keychains and browser credentials can lead to further lateral movement within corporate networks, unauthorized access to cloud services, and financial fraud. The stealthy nature of the attack, which avoids dropping binaries, complicates detection and response efforts, increasing the risk of prolonged undetected breaches. Organizations involved in finance, cryptocurrency trading, and those with remote macOS users are particularly vulnerable. The campaign's use of social engineering increases the likelihood of successful compromise, potentially leading to data breaches, reputational damage, and regulatory penalties under GDPR if personal data is exposed.

1. Implement advanced email filtering and phishing detection solutions tailored to identify social engineering and phishing campaigns targeting macOS users. 2. Educate macOS users about the risks of executing scripts or following instructions on suspicious CAPTCHA or verification pages, emphasizing caution with unexpected prompts. 3. Enforce strict execution policies on macOS endpoints to restrict or monitor AppleScript execution, including the use of Endpoint Detection and Response (EDR) tools capable of detecting suspicious scripting activity. 4. Regularly audit and limit access to sensitive data such as keychains and crypto wallets, employing multi-factor authentication (MFA) and hardware security modules (HSM) where possible. 5. Monitor network traffic for unusual data exfiltration patterns, particularly connections to known malicious IPs and domains like those identified in this campaign. 6. Deploy application whitelisting and behavioral analytics to detect obfuscated or anomalous script execution. 7. Maintain up-to-date backups and incident response plans specifically addressing macOS threats. 8. Collaborate with threat intelligence providers to stay informed about emerging indicators and tactics related to Odyssey Stealer and similar threats.