Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Linux Kernel FUSE Vulnerability (CVE-2023-XXXX) Lets Attackers Gain Root Privileges
July 10, 2026
Critical GNU Guix Vulnerabilities Let Attackers Elevate Privileges
July 10, 2026
Critical Windows Shortcut Vulnerability Allows Remote Code Execution
July 10, 2026
Home/Threats/Odyssey Stealer Targets macOS Users and 300 Crypto Wallet Extensions Globally
Threats

Odyssey Stealer Targets macOS Users and 300 Crypto Wallet Extensions Globally

Key Takeaways The Odyssey Stealer, a sophisticated information-stealing malware, is actively targeting macOS users across more than 100 countries. The malware is distributed through social...

Marcus Rodriguez
Marcus Rodriguez
July 10, 2026 4 Min Read
3 0

Key Takeaways

  • The Odyssey Stealer, a sophisticated information-stealing malware, is actively targeting macOS users across more than 100 countries.
  • The malware is distributed through social engineering tactics, primarily disguised as software updates or system fixes.
  • Odyssey Stealer can exfiltrate a wide array of sensitive data, including browser credentials, cryptocurrency wallet data from 300 extensions and 16 desktop applications, cloud service credentials, and messaging app information.
  • It establishes persistence on infected systems via a LaunchDaemon and can replace legitimate cryptocurrency applications with malicious versions.

A renewed campaign involving the Odyssey Stealer is actively compromising macOS systems globally, impacting users in over 100 countries. This potent information-stealing malware is designed to harvest a broad spectrum of sensitive data, including user credentials, browser activity, and cryptocurrency assets, which could lead to significant personal and corporate account compromise. A detailed report by Moonlock Lab said in a report highlighted the extensive capabilities and reach of this threat.

Table Of Content

  • Key Takeaways
  • Odyssey Stealer’s Broad Data Theft Capabilities
  • Persistence and Advanced Evasion Tactics
  • What You Should Do

Attackers are leveraging social engineering techniques to propagate Odyssey Stealer, often masquerading as critical software updates or system repair tools, such as “ClickFix”-style prompts. These deceptive lures persuade users to execute malicious commands. Once activated, the malware operates stealthily in the background, systematically identifying and exfiltrating valuable data to infrastructure controlled by the attackers. This method exploits typical user behavior rather than relying on novel macOS vulnerabilities, underscoring the importance of vigilance even for users maintaining up-to-date systems.

Odyssey Stealer’s Broad Data Theft Capabilities

Moonlock Lab analysts, who uncovered this latest wave of activity, noted that Odyssey Stealer possesses a more extensive data theft capability than many typical browser-focused infections. The malware is proficient at extracting passwords, cookies, and autofill data from popular web browsers, including Chrome, Brave, Edge, Vivaldi, Opera, Arc, Firefox, and Waterfox. This enables attackers to gain unauthorized access to user accounts, even without knowing the explicit passwords, by leveraging stolen session cookies.

Beyond browser data, Odyssey Stealer poses a substantial risk to cryptocurrency users. The malware specifically targets approximately 300 cryptocurrency wallet extension IDs, allowing it to compromise a vast array of browser-based wallets. Furthermore, it seeks out wallet files from 16 desktop cryptocurrency applications, including Electrum, Exodus, Ledger Live, Trezor Suite, Bitcoin Core, Litecoin Core, Dash Core, and Monero. This puts both software wallet users and those who manage hardware wallets through companion applications at severe risk of financial loss.

The malware’s impact extends to a wider range of sensitive information. It can pilfer cloud and developer credentials (for services like AWS, Google Cloud, and Azure), messaging application data (Telegram, Discord), local system records, SSH keys, FileZilla logins, Keychain database information, and shell history. This comprehensive data collection provides attackers with multiple avenues for fund theft, account takeovers, and deeper infiltration into compromised environments.

Persistence and Advanced Evasion Tactics

To ensure prolonged access to infected systems, Odyssey Stealer employs persistence mechanisms. It installs a LaunchDaemon, a system component on macOS that automatically starts programs. This allows the malware to reactivate after system reboots, continuing its data collection activities without requiring further user interaction or re-execution of the initial malicious payload.

A particularly concerning tactic observed by Moonlock Lab is the malware’s ability to replace legitimate cryptocurrency applications like Ledger, Trezor, and Exodus with trojanized versions. Victims may unknowingly interact with these malicious applications, believing them to be authentic, while the altered software is designed to intercept or redirect cryptocurrency transactions, leading to direct theft of funds.

The threat actors behind Odyssey Stealer utilize a robust command-and-control (C2) infrastructure, featuring a primary C2 server and several fallback domains. This redundancy ensures the malware can maintain communication for receiving instructions and exfiltrating stolen data, even if primary connection paths are disrupted. The campaign also incorporates second-stage trojan wallet payloads, indicating a potential for evolving attack methodologies beyond initial data theft.

What You Should Do

  • Verify Software Sources: Always download software and updates exclusively from official vendor websites or the Mac App Store. Be highly suspicious of unexpected update prompts or download links from unofficial sources.
  • Exercise Caution with Prompts: Treat any unsolicited requests to run commands or install software with extreme skepticism. Verify the legitimacy of such requests through official channels before proceeding.
  • Secure Cryptocurrency Wallets: Carefully inspect cryptocurrency wallet applications before entering any recovery information or initiating transactions. Regularly back up your wallet keys securely and consider hardware wallets for critical assets.
  • Monitor for Suspicious Activity: For organizations, actively monitor for unfamiliar LaunchDaemons, unusual outbound network connections, and unexpected modifications to cryptocurrency wallet applications on macOS endpoints.
  • Isolate and Remediate: If an infection is suspected, immediately disconnect the affected Mac from all networks. Change all compromised credentials from a separate, trusted device. Review cryptocurrency accounts for unauthorized transactions and seek professional incident response assistance before attempting to restore normal operations.

Indicators of compromise (IoCs):-

Type Indicator Description
IP address 165.245.215.18 Primary command-and-control server
Domain rahtam.com Fallback command-and-control domain <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/bb3ecad2-0f16-4e62-88c3-3b56cf724c86/Odyssey-Stealer-Hits-macOS-Users-in-100-Countries-Targets-300-Crypto-Wallet-Extensions.pdf?AWSAccessKeyId=ASIA2F3EMEYEWEH3EH5D&Signature=1LB5TVqG8XtZ1aIGcB%2FGwqePGuk%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEOr%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCICiwAAV926%2Fc3IwFsIY8BA8ECwk2y%2B%2FsmcnjMo2Jof5xAiAknQFdojZuDQAo13RDnZ3wrl0st%2BuK9LlZefbPtDmzNyr8BAiz%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMLFhXoYTCcMn4TMwAKtAE2hx8LrYv%2Br%2FmNiKww%2FRR0hcvK0EDbOSQYR1YjtGChxkOgitzGzM%2FaB3zHPOmsbsCGpAAycPNG9yVAgKj6qQ1qhMoGpckx4xFkblc6dVQ7fwo6OxEK4w1d7IYdrLzuoOVrq96PpYF2hPKDYEQmBWuDjhkaWgWNr2gcDyAJnn8vpJyY6SNBy%2FRpuHtNiAyv6y9BvIEmXS4LhXeq2BmzWR645VCnjVB1xDk48ocQEsJF7T%2BqlhsYkRYVX2%2BUNv9qjADoC3qur3K4ae0sGOYYYMI3ZEl%2BMi390JPl8Rq8nUSnPTxgDOnLrA4Vd3wlLE5DQF%2FUYN3Wny%2BFI6UbcLjKXBsA4s3ly3cldoI0MrJUkHJN76JGpJ0mxjHMItEKviM%2FEx94yguXp3dsyCYKJXkAiB14weB%2F8do8xyby8AMC1R8sfRgdLMrN9TZYj

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwareSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Dormant GitHub Accounts Hijacked for Corporate Source Code Reconnaissance

Next Post

Xalgorix AI Tool Vulnerability Exposes Sensitive Data

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
New Windows Process Injection Technique Evades 4 EDR Solutions
July 10, 2026
Xalgorix AI Tool Vulnerability Exposes Sensitive Data
July 10, 2026
Odyssey Stealer Targets macOS Users and 300 Crypto Wallet Extensions Globally
July 10, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us