Odyssey Stealer Targets macOS Users and Hundreds of Crypto Wallet Extensions


Odyssey Stealer is targeting macOS users through fake software downloads, deceptive update messages and ClickFix-style instructions that convince victims to run malicious commands.

Moonlock Lab researchers said the latest activity reached systems in more than 100 countries. The malware can steal browser credentials, session cookies, cryptocurrency wallet data, cloud credentials and sensitive files from compromised Macs.

The campaign does not rely on a newly disclosed macOS vulnerability. Instead, attackers persuade users to bypass normal protections and execute the malware themselves.

Odyssey Stealer uses fake downloads and update prompts

The infection chain often begins with a website or message that claims the user must install an application, update software or fix a technical problem.

Some lures use the ClickFix technique. A victim receives instructions to copy and paste a command into Terminal, believing it will solve a browser, application or verification problem.

Running the command can download and execute Odyssey Stealer without requiring the attackers to exploit the operating system directly.

  • Fake application downloads
  • Fraudulent software update alerts
  • ClickFix troubleshooting instructions
  • Imitation crypto wallet websites
  • Search advertisements leading to malicious installers

Apple explains that macOS includes built-in malware protections such as Gatekeeper, notarization and XProtect. However, users can weaken those protections when they approve unknown software or manually run attacker-supplied commands.

The malware steals data from major web browsers

Odyssey searches browser profiles for passwords, cookies, autofill records and other stored information.

Moonlock Lab said the malware targets Chromium-based browsers and Firefox-related products, giving it access to data from many popular macOS browsers.

BrowserPotentially targeted data
Google ChromePasswords, cookies, autofill data and wallet extensions
BraveCredentials, browser sessions and extension data
Microsoft EdgePasswords, cookies and saved form information
OperaBrowser profiles and extension storage
VivaldiCredentials, cookies and wallet data
ArcSession data and Chromium-based profile information
FirefoxPasswords, cookies and browser profile files
WaterfoxFirefox-compatible profile and credential data

Session cookies create a serious risk because they may let an attacker enter an account without immediately knowing the password. Some services may treat the stolen session as already authenticated.

Odyssey targets roughly 300 crypto wallet extensions

Cryptocurrency users face one of the campaignโ€™s largest risks. Researchers said Odyssey checks for approximately 300 browser extension identifiers linked to cryptocurrency wallets.

This allows the malware to search for many wallet products rather than focusing only on one widely used extension.

Depending on the wallet, stolen extension files may expose account data, encrypted vaults, settings or information that helps attackers prepare further theft attempts.

  • Browser wallet extension storage
  • Wallet configuration files
  • Saved authentication information
  • Recovery-related data stored insecurely on the Mac
  • Cookies linked to cryptocurrency services

Users should never enter a wallet recovery phrase after following an unexpected update prompt. Legitimate wallet providers do not need a recovery phrase to install a routine software update.

Sixteen desktop wallet applications are also targeted

Odyssey also searches for data belonging to at least 16 desktop cryptocurrency applications.

The reported targets include software wallets, full-node applications and companion software used to manage hardware wallets.

ApplicationRisk
ElectrumWallet files and configuration data may be stolen
ExodusLocal wallet information and application data may be collected
Ledger LiveAccount and companion application data may be targeted
Trezor SuiteApplication records and wallet-related data may be collected
Bitcoin CoreWallet files and node configuration may be exposed
Litecoin CoreWallet and configuration files may be targeted
Dash CoreLocally stored wallet information may be stolen
MoneroWallet files and related settings may be collected

Hardware wallets still protect private keys when users follow secure signing procedures. However, trojanized companion applications can display false transaction details or trick users into approving transfers to an attacker.

Attackers replace legitimate wallet applications

Moonlock Lab observed Odyssey attempting to replace Ledger, Trezor and Exodus software with trojanized versions.

A substituted application may look similar to the real wallet program while changing transaction destinations, stealing entered information or delivering additional malware.

This creates a risk even after the original stealer finishes collecting data. The victim may later open the fake application and unknowingly authorize a malicious transaction.

  1. The victim installs or runs the initial Odyssey payload.
  2. The malware searches for supported wallet applications.
  3. It downloads or installs a modified replacement.
  4. The user opens what appears to be the normal wallet application.
  5. The trojanized program attempts to steal data or redirect funds.

Users should download wallet applications only from the official vendor website or the Mac App Store when the developer provides an official listing.

Odyssey steals cloud and developer credentials

The malware also targets information used by developers, administrators and remote workers.

Reported targets include SSH keys and configuration files associated with Amazon Web Services, Microsoft Azure, Google Cloud and Docker.

Stolen developer credentials can turn a personal Mac infection into a larger corporate incident if the user has access to production systems or cloud resources.

Targeted dataPotential impact
SSH keysUnauthorized access to servers and development systems
AWS credentialsCloud resource access and possible account compromise
Google Cloud configurationAccess to projects, workloads or stored data
Azure credentialsUnauthorized access to Microsoft cloud services
Docker configurationAccess to container registries and private images
Shell historyExposure of commands, hosts, paths and embedded secrets

Organizations should avoid storing long-term secrets in shell commands, scripts or unprotected configuration files. Compromised credentials should be revoked rather than only changing the Mac userโ€™s password.

Keychain and messaging data may also be exposed

Odyssey can collect information from the macOS Keychain database and other local credential stores.

It also targets FileZilla data, Telegram information, Discord records and locally retrievable passwords. The exact data available depends on application settings, file permissions and whether the user granted the malware additional access.

Appleโ€™s malware protection overview notes that macOS combines technical controls with user consent requirements. Social-engineering attacks often focus on convincing the user to approve the action those controls would otherwise block.

  • macOS Keychain database files
  • FileZilla site and login records
  • Telegram session or configuration data
  • Discord information
  • Terminal shell history
  • Files selected by the malwareโ€™s collection rules

A LaunchDaemon gives Odyssey persistence

Odyssey attempts to install a LaunchDaemon so it can start automatically and continue operating after the Mac restarts.

LaunchDaemons run background services under macOS. Depending on their location, ownership and configuration, they may run with elevated privileges.

Appleโ€™s launchd documentation explains how property list files define programs that the operating system starts and manages.

Persistence elementPurpose
LaunchDaemon property listDefines how and when the malware starts
Stored executable or scriptProvides the payload launched by macOS
Automatic restartAllows the malware to return after a reboot
Background executionReduces visible signs for the user

Security teams should investigate unfamiliar property list files in /Library/LaunchDaemons and other launchd locations. A new file should match a known and approved application.

Primary and fallback servers support data theft

The campaign uses a primary command-and-control server and at least two fallback domains.

Fallback infrastructure allows the malware to continue sending stolen information or receiving commands when defenders block one destination.

Researchers identified 165.245.215[.]18 as the primary server, with rahtam[.]com and scubin[.]com serving as fallback domains.

  • Primary command-and-control server: 165.245.215[.]18
  • Fallback domain: rahtam[.]com
  • Second fallback domain: scubin[.]com

The indicators remain defanged to prevent accidental connections. Security teams should re-fang them only inside controlled threat-intelligence and monitoring platforms.

How Mac users can avoid Odyssey Stealer

Users should avoid software delivered through advertisements, unsolicited messages and websites that imitate trusted vendors.

An update prompt that asks the user to open Terminal and paste a command should receive immediate suspicion. Normal application updates rarely require copying commands from a webpage.

Apple provides guidance on safely opening applications on a Mac and warns users to override security protections only when they trust the applicationโ€™s source.

  1. Download applications from official vendor websites or the Mac App Store.
  2. Do not paste commands into Terminal from update or verification pages.
  3. Check the full website domain before downloading wallet software.
  4. Keep macOS and installed browsers updated.
  5. Use a password manager instead of saving sensitive credentials broadly.
  6. Store cryptocurrency recovery phrases offline.
  7. Verify transaction details on the hardware wallet screen.

Gatekeeper warnings should not be dismissed merely because a website claims that macOS blocked a legitimate installer by mistake.

Organizations should monitor for wallet and persistence changes

Businesses managing Macs should monitor new LaunchDaemons, unusual command-line execution and connections to unknown infrastructure.

Teams should also watch for unexpected changes to cryptocurrency wallet applications. A modified application bundle, altered signature or new installation outside approved management tools may indicate compromise.

Appleโ€™s LaunchDaemon guidance can help defenders understand legitimate job locations and configuration structures.

  • Unexpected LaunchDaemon or LaunchAgent property lists
  • Terminal commands launched after browser activity
  • Unsigned or recently replaced wallet applications
  • Outbound traffic to known Odyssey infrastructure
  • Large collections of browser and wallet files
  • Access to SSH, cloud and Docker configuration directories

Application allowlisting and mobile device management policies can prevent employees from installing unknown software outside approved channels.

What to do after a suspected Odyssey infection

A user who suspects an infection should disconnect the Mac from wired and wireless networks. This may stop further data theft, although attackers may already possess stolen information.

Password changes should take place on a separate trusted device. Changing credentials from the infected Mac could expose the new passwords to the malware.

  1. Disconnect the affected Mac from all networks.
  2. Contact the organizationโ€™s security or incident-response team.
  3. Change important passwords from a clean device.
  4. Revoke browser sessions and authentication tokens.
  5. Rotate SSH keys, cloud credentials and API secrets.
  6. Move cryptocurrency to newly created wallets when theft remains possible.
  7. Review recent wallet transactions and account sign-ins.
  8. Reinstall macOS or rebuild the device from a trusted source when required.

Users should not restore suspicious applications or full system contents from an untrusted backup. A backup may contain the same persistence files or trojanized wallet software.

Indicators of compromise

TypeIndicatorDescription
IP address165.245.215[.]18Primary command-and-control server
Domainrahtam[.]comFallback command-and-control domain
Domainscubin[.]comSecond fallback command-and-control domain

Indicators can change quickly, so organizations should combine blocklists with behavioral detection. New LaunchDaemons, browser data collection and unauthorized wallet application replacement remain useful signals when attackers rotate infrastructure.

Odyssey creates risks beyond cryptocurrency theft

The malwareโ€™s broad collection capabilities can affect personal accounts, business systems and cloud environments.

A stolen wallet may lead to direct financial loss. Stolen browser sessions, SSH keys and cloud credentials can also let attackers enter corporate services or infrastructure.

Users should treat unexpected update instructions as a potential security threat, particularly when a website asks them to disable protections or paste commands into Terminal. Appleโ€™s application security guidance recommends opening software only when it comes from a trusted source.

FAQ

What is Odyssey Stealer?

Odyssey Stealer is information-stealing malware designed for macOS. It targets browser credentials, session cookies, cryptocurrency wallets, cloud credentials, developer files and other sensitive information.

How does Odyssey Stealer infect a Mac?

The malware commonly spreads through fake software downloads, fraudulent update prompts and ClickFix instructions that persuade users to copy and run malicious commands in Terminal.

How many crypto wallets does Odyssey target?

Moonlock Lab reported that the latest version checks roughly 300 browser wallet extension IDs and searches for data linked to at least 16 desktop cryptocurrency applications.

Can Odyssey steal data from hardware wallets?

The malware cannot directly extract private keys securely stored on a hardware wallet. However, it may replace companion applications, steal related data or trick users into approving fraudulent transactions.

What should users do after an Odyssey infection?

Users should disconnect the Mac, change credentials from a separate trusted device, revoke active sessions, rotate cloud and SSH credentials, review cryptocurrency accounts and rebuild the Mac from a trusted source when necessary.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages