Odyssey Stealer Targets macOS Users Globally, Focusing on Cryptocurrency and Credentials
Odyssey Stealer is actively infecting macOS users in over 100 countries, employing social engineering tactics to steal credentials, browsing data, and cryptocurrency assets from hundreds of wallet extensions and desktop applications.

The information-stealing malware known as Odyssey Stealer has resurfaced with a significant global campaign, actively targeting macOS users across more than 100 countries. This sophisticated malware is designed to exfiltrate a wide range of sensitive data, including login credentials, browsing history, and valuable cryptocurrency assets, posing a substantial risk to both individual and corporate users.
The current campaign relies on deceptive social engineering tactics rather than exploiting newly discovered macOS vulnerabilities. Attackers are distributing the malware through convincing software and update prompts, often employing "ClickFix" style lures that trick users into executing malicious commands. These deceptive methods exploit users' routine behaviors, making it crucial for individuals to verify software sources meticulously, even if their operating system is up-to-date.
Once executed, Odyssey Stealer operates stealthily, scanning the infected device for valuable information. It targets a broad spectrum of data, including passwords, cookies, and autofill data from popular browsers such as Chrome, Brave, Edge, Vivaldi, Opera, Arc, Firefox, and Waterfox. Beyond browser-based information, the malware also collects cloud and developer credentials, messaging application data, and local system records, providing attackers with multiple avenues to compromise accounts and gain deeper access into affected environments.
Cryptocurrency users are particularly vulnerable to this latest iteration of Odyssey Stealer. The malware is engineered to target approximately 300 cryptocurrency wallet extension IDs, allowing it to cast a wide net across various browser-based wallets. Furthermore, it actively searches for wallet files associated with 16 desktop cryptocurrency applications, including prominent names like Electrum, Exodus, Ledger Live, Trezor Suite, Bitcoin Core, and Litecoin Core. This broad targeting places users of both software and hardware wallets at significant risk.
The threat extends beyond direct wallet theft. Odyssey Stealer can also compromise SSH keys and configuration data for major cloud platforms like AWS, Google Cloud, and Azure, as well as Docker. The exfiltration of FileZilla logins, Keychain database data, Telegram and Discord information, and shell history further amplifies the potential damage, enabling attackers to move laterally within compromised networks or gain access to sensitive development tools.
To ensure persistence, Odyssey Stealer employs a LaunchDaemon, a system component that allows the malware to automatically restart and continue its operations even after a system reboot. In some observed instances, attackers have also replaced legitimate wallet applications like Ledger, Trezor, and Exodus with trojanized versions designed to silently drain cryptocurrency funds. This sophisticated approach means users might unknowingly interact with malicious software while believing they are using trusted applications.
The malware's command-and-control (C2) infrastructure utilizes a primary server with fallback domains, ensuring continued communication and data exfiltration even if one C2 channel is disrupted. The observed use of second-stage trojan wallet payloads suggests that an infection may evolve beyond the initial data-stealing phase, potentially leading to more severe consequences.
To mitigate the risks associated with Odyssey Stealer, users are strongly advised to download software exclusively from official vendor websites or trusted app stores. Unexpected update prompts should be treated with extreme caution, and users should always verify the integrity of their cryptocurrency wallet applications before entering any sensitive information. Organizations should monitor for unusual LaunchDaemons, suspicious network connections, and unexpected modifications to critical applications. In the event of a suspected infection, immediate network disconnection, credential changes from a separate trusted device, and professional incident response are recommended.