How It Works
Odyssey Stealer, a piece of information stealing malware, is actively targeting macOS users across more than 100 countries. The infection spreads through deceptive software updates and social engineering techniques, such as ClickFix style prompts, which trick users into running malicious commands. Once executed, the malware silently gathers sensitive data including passwords, cookies, autofill information, and cryptocurrency assets, then transmits this data to attacker controlled servers.
The malware is particularly dangerous because it exploits routine user behavior rather than a specific macOS vulnerability. It targets roughly 300 cryptocurrency wallet extension IDs and seeks wallet files from desktop applications like Electrum, Exodus, Ledger Live, and Trezor Suite. It also collects SSH keys, cloud configuration data for AWS, Google Cloud, Azure, and Docker, as well as credentials from messaging apps like Telegram and Discord.
Impact and Persistence
Moonlock Lab analysts report that Odyssey Stealer’s reach extends beyond browser logins to include developer credentials, shell history, and locally stored passwords. The malware establishes persistence on compromised systems by installing a LaunchDaemon, allowing it to restart automatically after a reboot. Attackers have also been observed replacing legitimate Ledger, Trezor, and Exodus applications with trojanized versions designed to drain cryptocurrency wallets.
The campaign uses a primary command and control server along with fallback domains to maintain communication and exfiltrate stolen data. Organizations are advised to monitor for unusual LaunchDaemons, unexpected outbound connections, and changes to wallet applications. Users should verify software sources and avoid acting on unexpected update prompts to reduce the risk of infection.
Source: Cyber Security News

