Evolution of macOS Odyssey Stealer: New Techniques & Signed Malware

July 17, 2025, 8:17 p.m.

Description

A new variant of the Odyssey infostealer for macOS has been discovered, featuring code signing, notarization, and a persistent backdoor. The malware mimics a Google Meet updater and uses a SwiftUI-based 'Technician Panel' for social engineering. It steals sensitive data, including passwords, browser information, and cryptocurrency wallet contents. The stealer now includes a second-stage payload that establishes persistence and communicates with a command-and-control server. Notable features include dynamic command execution, network tunneling capabilities, and self-termination mechanisms. The malware also employs anti-analysis techniques to evade researchers. Multiple signed and notarized samples have been identified in the wild, indicating an evolution in the threat actor's tactics.

External References

https://www.jamf.com/blog/signed-and-stealing-uncovering-new-insights-on-odyssey-infostealer
https://otx.alienvault.com/pulse/68792679d13c814d91c9c973
Tags
backdoor
infostealer
cryptocurrency
persistence
macos
amos
2025-07-17
code-signing
notarization
odyssey
odyssey stealer

Date

  • Created: July 17, 2025, 4:36 p.m.
  • Published: July 17, 2025, 4:36 p.m.
  • Modified: July 17, 2025, 8:17 p.m.