Evolution of macOS Odyssey Stealer: New Techniques & Signed Malware

SUMMARY :

A new variant of the Odyssey infostealer for macOS has been discovered, featuring code signing, notarization, and a persistent backdoor. The malware mimics a Google Meet updater and uses a SwiftUI-based 'Technician Panel' for social engineering. It steals sensitive data, including passwords, browser information, and cryptocurrency wallet contents. The stealer now includes a second-stage payload that establishes persistence and communicates with a command-and-control server. Notable features include dynamic command execution, network tunneling capabilities, and self-termination mechanisms. The malware also employs anti-analysis techniques to evade researchers. Multiple signed and notarized samples have been identified in the wild, indicating an evolution in the threat actor's tactics.

OPENCTI LABELS :

backdoor,amos,macos,infostealer,cryptocurrency,persistence,odyssey,code-signing,notarization,odyssey stealer


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Evolution of macOS Odyssey Stealer: New Techniques & Signed Malware