Odyssey Stealer Hits macOS Users in 100+ Countries, Targets 300 Crypto Wallet Extensions

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

Odyssey Stealer is again targeting macOS users, with a recent surge affecting victims in more than 100 countries.

The information-stealing malware is built to collect credentials, browsing data, cryptocurrency assets, and other sensitive files that can quickly expose both personal and business accounts.

The campaign reaches victims through deceptive software and update prompts, including ClickFix-style social-engineering lures that persuade users to run malicious commands.

Once launched, the malware quietly searches the device for valuable information and sends it to attacker-controlled infrastructure.

These lures exploit routine behavior rather than a newly disclosed macOS flaw. A convincing prompt can turn a normal download or troubleshooting step into an infection, making careful source checks essential even for users who keep their operating system updated.

Moonlock Lab said in a report shared with Cyber Security News (CSN) that this broad footprint can affect individuals, investors, and corporate Mac users alike.

The researchers found that Odyssey can collect passwords, cookies, and autofill data from widely used browsers, including Chrome, Brave, Edge, Vivaldi, Opera, Arc, Firefox, and Waterfox.

The impact extends beyond browser logins. By taking wallet data, cloud and developer credentials, messaging-app information, and local system records, the malware can give criminals several paths to steal funds, take over accounts, or move deeper into an affected environment.

Odyssey Stealer Hits macOS Users

Cryptocurrency users face a particularly broad risk from this version of Odyssey Stealer.

Moonlock Lab said the malware targets roughly 300 cryptocurrency wallet extension IDs, an approach that lets attackers search for a large range of browser-based wallets rather than depend on one popular service.

It also seeks wallet files associated with 16 desktop cryptocurrency applications. The targeted applications include Electrum, Exodus, Ledger Live, Trezor Suite, Bitcoin Core, Litecoin Core, Dash Core, and Monero, placing both software wallet users and people who manage hardware wallets through companion apps at risk.

The theft routine does not stop at wallets. Odyssey can take browser passwords and session cookies, which may allow an attacker to access an account without immediately knowing its password.

Autofill information can also reveal names, addresses, payment details, and other data saved for convenience.

For developers, administrators, and remote workers, the collection of SSH keys and configuration data for AWS, Google Cloud, Azure, and Docker is especially concerning.

Stolen FileZilla logins, Keychain database data, Telegram and Discord information, shell history, and locally retrievable passwords could further widen the damage after an initial compromise.

Persistence Raises the Stakes

The malware attempts to remain on a Mac by installing a persistent LaunchDaemon, a system component that can start programs automatically.

This gives Odyssey a better chance of returning after a reboot and continuing its collection activity without requiring the victim to reopen the original lure.

Moonlock Lab also observed the operation replacing Ledger, Trezor, and Exodus applications with trojanized versions designed to drain wallets.

In practical terms, a victim may believe they are using a trusted wallet program while the substituted application is built to redirect or steal cryptocurrency transactions.

The attackers use a primary command-and-control server and fallback domains, allowing the malware to receive instructions and deliver stolen information even if one connection path is disrupted.

The campaign also uses second-stage trojan wallet payloads, suggesting that an infection may develop beyond the first data-theft phase.

Downloading software only from an official vendor site or the Mac App Store, treating unexpected update instructions with suspicion, and checking a wallet app before entering recovery information can reduce exposure.

Organizations should watch for unfamiliar LaunchDaemons, unusual outbound connections, and unexpected changes to wallet applications.

Anyone who suspects an infection should disconnect the Mac from networks, change credentials from a separate trusted device, review cryptocurrency accounts, and seek incident-response support before restoring normal access.

Indicators of compromise (IoCs):-

Type Indicator Description
IP address 165.245.215.18 Primary command-and-control server 
Domain rahtam.com Fallback command-and-control domain 
Domain scubin.com Second fallback command-and-control domain 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.