Odyssey Stealer Targets macOS Users and 300 Crypto Wallet Extensions Globally
Key Takeaways The Odyssey Stealer, a sophisticated information-stealing malware, is actively targeting macOS users across more than 100 countries. The malware is distributed through social...
Key Takeaways
- The Odyssey Stealer, a sophisticated information-stealing malware, is actively targeting macOS users across more than 100 countries.
- The malware is distributed through social engineering tactics, primarily disguised as software updates or system fixes.
- Odyssey Stealer can exfiltrate a wide array of sensitive data, including browser credentials, cryptocurrency wallet data from 300 extensions and 16 desktop applications, cloud service credentials, and messaging app information.
- It establishes persistence on infected systems via a LaunchDaemon and can replace legitimate cryptocurrency applications with malicious versions.
A renewed campaign involving the Odyssey Stealer is actively compromising macOS systems globally, impacting users in over 100 countries. This potent information-stealing malware is designed to harvest a broad spectrum of sensitive data, including user credentials, browser activity, and cryptocurrency assets, which could lead to significant personal and corporate account compromise. A detailed report by Moonlock Lab said in a report highlighted the extensive capabilities and reach of this threat.
Table Of Content
Attackers are leveraging social engineering techniques to propagate Odyssey Stealer, often masquerading as critical software updates or system repair tools, such as “ClickFix”-style prompts. These deceptive lures persuade users to execute malicious commands. Once activated, the malware operates stealthily in the background, systematically identifying and exfiltrating valuable data to infrastructure controlled by the attackers. This method exploits typical user behavior rather than relying on novel macOS vulnerabilities, underscoring the importance of vigilance even for users maintaining up-to-date systems.
Odyssey Stealer’s Broad Data Theft Capabilities
Moonlock Lab analysts, who uncovered this latest wave of activity, noted that Odyssey Stealer possesses a more extensive data theft capability than many typical browser-focused infections. The malware is proficient at extracting passwords, cookies, and autofill data from popular web browsers, including Chrome, Brave, Edge, Vivaldi, Opera, Arc, Firefox, and Waterfox. This enables attackers to gain unauthorized access to user accounts, even without knowing the explicit passwords, by leveraging stolen session cookies.
Beyond browser data, Odyssey Stealer poses a substantial risk to cryptocurrency users. The malware specifically targets approximately 300 cryptocurrency wallet extension IDs, allowing it to compromise a vast array of browser-based wallets. Furthermore, it seeks out wallet files from 16 desktop cryptocurrency applications, including Electrum, Exodus, Ledger Live, Trezor Suite, Bitcoin Core, Litecoin Core, Dash Core, and Monero. This puts both software wallet users and those who manage hardware wallets through companion applications at severe risk of financial loss.
The malware’s impact extends to a wider range of sensitive information. It can pilfer cloud and developer credentials (for services like AWS, Google Cloud, and Azure), messaging application data (Telegram, Discord), local system records, SSH keys, FileZilla logins, Keychain database information, and shell history. This comprehensive data collection provides attackers with multiple avenues for fund theft, account takeovers, and deeper infiltration into compromised environments.
Persistence and Advanced Evasion Tactics
To ensure prolonged access to infected systems, Odyssey Stealer employs persistence mechanisms. It installs a LaunchDaemon, a system component on macOS that automatically starts programs. This allows the malware to reactivate after system reboots, continuing its data collection activities without requiring further user interaction or re-execution of the initial malicious payload.
A particularly concerning tactic observed by Moonlock Lab is the malware’s ability to replace legitimate cryptocurrency applications like Ledger, Trezor, and Exodus with trojanized versions. Victims may unknowingly interact with these malicious applications, believing them to be authentic, while the altered software is designed to intercept or redirect cryptocurrency transactions, leading to direct theft of funds.
The threat actors behind Odyssey Stealer utilize a robust command-and-control (C2) infrastructure, featuring a primary C2 server and several fallback domains. This redundancy ensures the malware can maintain communication for receiving instructions and exfiltrating stolen data, even if primary connection paths are disrupted. The campaign also incorporates second-stage trojan wallet payloads, indicating a potential for evolving attack methodologies beyond initial data theft.
What You Should Do
- Verify Software Sources: Always download software and updates exclusively from official vendor websites or the Mac App Store. Be highly suspicious of unexpected update prompts or download links from unofficial sources.
- Exercise Caution with Prompts: Treat any unsolicited requests to run commands or install software with extreme skepticism. Verify the legitimacy of such requests through official channels before proceeding.
- Secure Cryptocurrency Wallets: Carefully inspect cryptocurrency wallet applications before entering any recovery information or initiating transactions. Regularly back up your wallet keys securely and consider hardware wallets for critical assets.
- Monitor for Suspicious Activity: For organizations, actively monitor for unfamiliar LaunchDaemons, unusual outbound network connections, and unexpected modifications to cryptocurrency wallet applications on macOS endpoints.
- Isolate and Remediate: If an infection is suspected, immediately disconnect the affected Mac from all networks. Change all compromised credentials from a separate, trusted device. Review cryptocurrency accounts for unauthorized transactions and seek professional incident response assistance before attempting to restore normal operations.
Indicators of compromise (IoCs):-



No Comment! Be the first one.