A new wave of the Odyssey Stealer malware is targeting macOS users in more than 100 countries, according to security researchers at Moonlock Lab. The latest version is built to steal passwords, browser data, cryptocurrency wallets, cloud credentials, and developer files while maintaining long-term access to infected devices.

Researchers said the malware has evolved beyond simple credential theft. Once installed, it can replace legitimate cryptocurrency wallet applications with modified versions designed to capture wallet credentials and transaction information.

The campaign primarily targets users interested in cryptocurrency and finance through fake websites that imitate trusted platforms and software download pages.

Targets Wallets, Browsers, and Developer Credentials

The malware steals login credentials, cookies, and autofill data from major browsers, including Chrome, Brave, Microsoft Edge, Vivaldi, Opera, Arc, Firefox, and Waterfox.

For cryptocurrency users, Odyssey searches for wallet files from more than 16 desktop wallet applications, including Electrum, Exodus, Ledger Live, Trezor Suite, Bitcoin Core, Litecoin Core, Dash Core, and Monero, while also scanning nearly 300 cryptocurrency browser extension IDs for wallet data and private keys.

Beyond crypto assets, the malware collects SSH keys, Apple Keychain databases, Telegram and Discord data, FileZilla credentials, terminal history, and configuration files for AWS, Google Cloud, Microsoft Azure, and Docker. It also attempts to obtain the user’s local macOS password using the built-in dscl authentication tool.

According to the malware analysis shared by Moonlock Lab, infected systems establish communication with the primary command-and-control (C2) server at 165[.]245.215.18, with rahtam[.]com serving as a fallback and scubin[.]com delivering second-stage payloads, including trojanized wallet applications.

Fake Apps and ClickFix Technique Drive Infections

Security researchers say Odyssey is commonly delivered through the ClickFix attack method. Victims are redirected to fake websites that closely resemble the Apple App Store, cryptocurrency news platforms, or financial services.

These pages display a fake Cloudflare verification screen instructing macOS users to copy and paste a command into the Terminal. Instead of completing a verification check, the command downloads and executes an AppleScript that installs the malware.

The script creates persistent LaunchDaemon services, allowing Odyssey to survive system reboots and continuously communicate with attacker-controlled servers.

The malware also displays a fake password prompt to capture the user’s macOS password. Once validated, it copies Keychain files, browser databases, wallet files, and personal documents before compressing everything into a ZIP archive and uploading it to its command server.

If the upload fails, it automatically retries multiple times to ensure the stolen data is delivered. Researchers also found the malware stealing files from the Desktop and Documents folders, including TXT, PDF, DOCX, JPG, PNG, RTF, and KeePass database (.kdbx) files.

Malware-as-a-Service Operation

Security firms SOC Prime and CYFIRMA describe Odyssey as a Malware-as-a-Service (MaaS) platform. Affiliates can rent access to a centralized administration panel that tracks infected devices, manages stolen credentials, builds customized malware versions, and restores hijacked browser sessions using stolen cookies.

Investigators linked multiple Odyssey control panels to infrastructure hosted primarily in Russia. Threat researchers believe Odyssey is a rebranded version of Poseidon Stealer, which itself originated from the AMOS Stealer malware family.

The operation mainly targets users in the United States and Europe while largely avoiding victims in Commonwealth of Independent States (CIS) countries, a pattern often associated with Russian-speaking cybercrime groups.

Related: SlowMist Says There Were 182 Blockchain Security Issues in H1 2026