Odyssey Stealer Surges in Global macOS Campaign, Expands Beyond Initial Target Regions
A sharp rise in Odyssey Stealer activity is targeting macOS users worldwide, with recent telemetry revealing a rapid geographic expansion of the malware campaign. Initially detected in the U.S., France, and Spain, the threat has now spread to the U.K., Germany, Italy, Canada, Brazil, India, and multiple countries across Africa and Asia. Notably, the campaign avoids victims in CIS nations, a pattern often linked to Russian-aligned cybercriminal groups.
Odyssey Stealer emerged as a rebranded evolution of Poseidon Stealer, which itself originated from the AMOS Stealer. After the sale of Poseidon in fall 2024, its developer known as "Rodrigo4" relaunch the operation under the Odyssey name, introducing enhanced evasion and persistence mechanisms.
Distribution & Infection Tactics
Threat actors deploy Odyssey Stealer through social engineering, primarily via fake CAPTCHA verification pages using the "ClickFix" technique. Victims encounter these pages on compromised websites impersonating legitimate software downloads, such as Microsoft Teams, Homebrew, or Ledger Live. The malware checks the victim’s OS before delivering malicious instructions.
Once executed, the stealer harvests a wide range of sensitive data, including:
- Cryptocurrency wallets (Tron, Electrum, Binance)
- Browser credentials, cookies, and autofill data (Chrome, Firefox, Safari)
- Over 100 browser extensions
- macOS Keychain passwords
- Payment information, browsing history, and files from Desktop and Documents folders (targeting
.txt,.pdf,.docx,.jpg,.png,.rtf, and.kdbxfiles)
Persistence & Exfiltration
Odyssey Stealer establishes persistence via LaunchDaemons with randomly generated names (e.g., com.{random}.plist), ensuring survival across reboots. The attack tricks users into copying and executing base64-encoded terminal commands, which decode and run malicious AppleScript to install the stealer without traditional binary drops.
Advanced variants include a SwiftUI-based "Technician Panel", using social engineering to prompt users for passwords under the guise of tech support.
Stolen data is compressed into an "out.zip" file in a temporary directory and exfiltrated to command-and-control (C2) servers via curl POST requests. If the initial upload fails, the malware retries up to 10 times with 60-second delays, ensuring data delivery even if connections are blocked. After exfiltration, the script deletes temporary files to hinder forensic analysis.
Attacker Infrastructure & Capabilities
The Odyssey operation features a sophisticated control panel, allowing threat actors to:
- Monitor infected devices (IP addresses, online status)
- Store stolen passwords, cookies, and cryptocurrency wallets in organized logs
- Generate custom malware versions via a builder function
Some C2 infrastructure has been identified, including the IP 45.46.130[.]131, which hosts the Odyssey Stealer login panel for attackers to access harvested data.
Source: https://gbhackers.com/odyssey-stealer/
Microsoft Threat Intelligence cybersecurity rating report: https://www.rankiteo.com/company/microsoft-threat-intelligence
"id": "MIC1770366975",
"linkid": "microsoft-threat-intelligence",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'location': ['U.S.',
'France',
'Spain',
'U.K.',
'Germany',
'Italy',
'Canada',
'Brazil',
'India',
'Africa',
'Asia'],
'type': 'Individual users, organizations'}],
'attack_vector': 'Social Engineering (Fake CAPTCHA verification pages, '
'ClickFix technique)',
'data_breach': {'data_exfiltration': 'Yes (via curl POST requests to C2 '
'servers)',
'file_types_exposed': ['.txt',
'.pdf',
'.docx',
'.jpg',
'.png',
'.rtf',
'.kdbx'],
'personally_identifiable_information': 'Yes (browser '
'credentials, payment '
'information, Keychain '
'passwords)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Cryptocurrency wallets',
'Browser credentials',
'Cookies',
'Autofill data',
'macOS Keychain passwords',
'Payment information',
'Browsing history',
'Files (.txt, .pdf, .docx, .jpg, '
'.png, .rtf, .kdbx)']},
'description': 'A sharp rise in Odyssey Stealer activity is targeting macOS '
'users worldwide, with recent telemetry revealing a rapid '
'geographic expansion of the malware campaign. Initially '
'detected in the U.S., France, and Spain, the threat has now '
'spread to the U.K., Germany, Italy, Canada, Brazil, India, '
'and multiple countries across Africa and Asia. The campaign '
'avoids victims in CIS nations, a pattern often linked to '
'Russian-aligned cybercriminal groups. Odyssey Stealer is a '
'rebranded evolution of Poseidon Stealer, which originated '
'from the AMOS Stealer. The malware harvests sensitive data, '
'including cryptocurrency wallets, browser credentials, '
'cookies, macOS Keychain passwords, and files from Desktop and '
'Documents folders.',
'impact': {'data_compromised': 'Cryptocurrency wallets, browser credentials, '
'cookies, autofill data, macOS Keychain '
'passwords, payment information, browsing '
'history, files from Desktop and Documents '
'folders',
'identity_theft_risk': 'High',
'payment_information_risk': 'High',
'systems_affected': 'macOS systems'},
'initial_access_broker': {'backdoors_established': 'LaunchDaemons with '
'randomly generated names '
'(e.g., '
'com.{random}.plist)',
'entry_point': 'Compromised websites impersonating '
'legitimate software downloads '
'(Microsoft Teams, Homebrew, Ledger '
'Live)'},
'motivation': 'Data theft, financial gain (cryptocurrency, credentials, '
'payment information)',
'post_incident_analysis': {'root_causes': 'Social engineering (ClickFix '
'technique), fake CAPTCHA pages, '
'base64-encoded terminal commands, '
'lack of user awareness'},
'references': [{'source': 'Cybersecurity Threat Intelligence Report'}],
'threat_actor': 'Russian-aligned cybercriminal group (suspected)',
'title': 'Odyssey Stealer Surges in Global macOS Campaign, Expands Beyond '
'Initial Target Regions',
'type': 'Malware (Stealer)'}