{ "id": "c24ffda5-675f-4d6e-916f-bb1f239b1f24", "created_at": "2026-04-06T00:16:29.905704Z", "updated_at": "2026-04-10T03:37:08.579698Z", "deleted_at": null, "sha1_hash": "4bc5852ea0c299551482763b81bba0a86c8a5902", "title": "ODYSSEY STEALER : THE REBRAND OF POSEIDON STEALER - CYFIRMA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1082833, "plain_text": "ODYSSEY STEALER : THE REBRAND OF POSEIDON\r\nSTEALER - CYFIRMA\r\nArchived: 2026-04-05 15:45:21 UTC\r\nPublished On : 2025-06-26\r\nEXECUTIVE SUMMARY\r\nThe CYFIRMA research team has uncovered multiple websites employing Clickfix tactics to deliver malicious\r\nAppleScripts (osascripts). These scripts contain commands designed to steal browser cookies, passwords,\r\ncryptocurrency wallet data, and browser plugins. We’ve identified a command-and-control panel linked to this\r\nactivity, which is attributed to Odyssey Stealer. The malicious websites we’ve observed are primarily\r\ntyposquatting finance domains, Apple App Store domains, or cryptocurrency news-related domains. This suggests\r\nthat the malware operators are likely targeting individuals interested in finance and cryptocurrency.\r\nINTRODUCTION\r\nThe Odyssey Stealer is distributed using the Clickfix technique. The Clickfix technique begins with the creation of\r\na typosquatted or visually similar domain, designed to exploit user errors when typing. When a user inadvertently\r\nhttps://www.cyfirma.com/research/odyssey-stealer-the-rebrand-of-poseidon-stealer/\r\nPage 1 of 13\n\nvisits this malicious domain, they are presented with a fake Cloudflare-style CAPTCHA prompt.\r\nBelow the prompt, instructions are displayed for macOS users to copy a command and paste it into the terminal. If\r\naccessed from a Windows device, the site provides Windows-specific instructions instead. However, during our\r\nanalysis, clicking the “Copy” button did not copy any commands. Since the Odyssey Stealer currently targets\r\nmacOS, it’s possible that future updates may expand its capabilities to target Windows systems.\r\nIn this instance, the attacker mimicked the macOS App Store domain. When users visit the site, they encounter a\r\nprompt asking them to confirm they are not a robot. The site then instructs macOS users to copy and paste a\r\nBase64-encoded command into their terminal.\r\nWhen users click the “Copy” option, a Base64-encoded script is copied, designed to fetch and execute a command\r\nfrom the Odyssey [http[:]//odyssey1[.]to[:]3333/d?u=October or http[:]//45[.]135.232.33/d/roberto85866 ]. This\r\ncommand triggers a lengthy osascript, which is not obfuscated, making it relatively straightforward to analyse.\r\nUpon execution, the malware displays a fake prompt designed to capture the user’s password. To validate the\r\nstolen credentials silently, it employs the macOS dscl command with the authonly parameter, ensuring the process\r\nremains hidden from the user.\r\nhttps://www.cyfirma.com/research/odyssey-stealer-the-rebrand-of-poseidon-stealer/\r\nPage 2 of 13\n\nThe osascript can typically be found at either IP/d/\u003cusername\u003e or IP:3333/d?u=\u003ckeyword\u003e. In an older domain,\r\nwe observed the use of u=october to host the AppleScript. However, in the new malicious domain, the script is not\r\nhosted on a different port but within another directory, suggesting it might belong to a different user of the\r\nOdyssey Stealer.\r\nASSESSMENT\r\nhttps://www.cyfirma.com/research/odyssey-stealer-the-rebrand-of-poseidon-stealer/\r\nPage 3 of 13\n\nThe script uses alphanumeric obfuscation to hide function names. However, we successfully deobfuscated it to\r\nanalyze the code.\r\nInitially, the script uses the mkdir command to create a directory, specifically within the /tmp folder. By utilizing\r\nthe mkdir -p option, it ensures the creation of nested directories without encountering errors, streamlining the\r\nprocess.\r\nDuring further analysis, a temporary directory named /tmp/lovemrtrump was identified. This folder is created by\r\nthe script to store collected data during its execution.\r\nThe script copies macOS keychain files, which store credentials, to its temporary folder /tmp/lovemrtrump/kc. It\r\npairs this with attempts to capture the user’s password through a fake authentication prompt, enabling decryption\r\nof the Keychain. This ties into the broader script, which gathers browser data, saved passwords, and other\r\nsensitive files.\r\nhttps://www.cyfirma.com/research/odyssey-stealer-the-rebrand-of-poseidon-stealer/\r\nPage 4 of 13\n\nThe script accesses data related to desktop wallets in the section that handles wallet directories and specific wallet-related files. It targets popular wallet applications like Electrum, Coinomi, Exodus, and more.\r\nOdyssey Stealer targets Chrome/Chromium browsers (Brave, Edge, Opera), it harvests saved passwords from\r\nLogin Data, payment info, browsing history, and active session cookies for account hijacking.\r\nIt specifically raids cryptocurrency extensions like MetaMask, stealing wallet files and private keys. Firefox\r\nvariants suffer password theft via “logins.json” (with decryption keys from “key4.db”).\r\nWhile Safari loses cookies, autofill data, and browsing history, the malware precisely targets each browser’s most\r\nvaluable assets – credentials, financial data, and session tokens.\r\nThis malware targets browser extensions to steal cryptocurrency wallets (MetaMask, etc.), and authentication\r\ntokens. It steals from plugin storage locations.\r\nhttps://www.cyfirma.com/research/odyssey-stealer-the-rebrand-of-poseidon-stealer/\r\nPage 5 of 13\n\nFor Chromium-based browsers, it extracts:\r\nPrivate keys and seed phrases from wallet extensions\r\nSession tokens from authentication plugins\r\nConfiguration files from password managers\r\nThe malware steals personal files from your Desktop and Documents files with extensions .txt, .pdf, .docx, .jpg,\r\n.png, .rtf, and .kdbx.\r\nThe malware organizes stolen data (browser histories, wallets, documents) compresses it as out.zip, and exfiltrates\r\nit via a curl POST request to the attacker’s server. If the upload fails, it silently retries up to 10 times with 60-\r\nsecond delays between attempts, ensuring persistent delivery even if the connection is intermittent or blocked\r\ntemporarily. Hardcoded headers (buildid, username) tag the stolen data for the attacker’s tracking.\r\nhttps://www.cyfirma.com/research/odyssey-stealer-the-rebrand-of-poseidon-stealer/\r\nPage 6 of 13\n\nThe exfiltrated data is transmitted in the following snippet format, containing the username, password keychain,\r\nhardware details, and other browser-related information. This data is sent to a hosted IP for collection and further\r\nexploitation by the attackers.\r\nODYSSEY STEALER CONTROL PANEL FEATURES\r\nThe panel provides a structured interface for attackers to manage stolen data, configure malware behavior, and\r\ndeploy attacks. Key sections include:\r\nDashboard\r\nShows infected devices, stolen data, and attack stats.\r\nBuilder\r\nCreates custom malware versions for different targets.\r\nLogs\r\nStores stolen passwords, cookies, and crypto wallets.\r\nBots\r\nLists hacked devices with details like IP address and their online status.\r\nGuest Mode\r\nLets buyers test limited features before purchasing.\r\nGoogle Cookies Restore\r\nHijacks browser sessions using stolen cookies.\r\nhttps://www.cyfirma.com/research/odyssey-stealer-the-rebrand-of-poseidon-stealer/\r\nPage 7 of 13\n\nOther Settings\r\nControls panel behaviour\r\nWe found multiple Odyssey Stealer Panels mostly hosted in Russia.\r\nEXTERNAL THREAT LANDSCAPE MANAGEMENT\r\nOdyssey Stealer represents the latest evolution in macOS-targeting malware, emerging as a rebranded version of\r\nPoseidon Stealer which itself originated as a fork of the AMOS Stealer. The stealer primarily targets users in\r\nhttps://www.cyfirma.com/research/odyssey-stealer-the-rebrand-of-poseidon-stealer/\r\nPage 8 of 13\n\nWestern countries, such as the United States and European Union, while conspicuously avoiding victims in CIS\r\nnations – a characteristic pattern often associated with Russian-aligned cybercriminal groups. The original AMOS\r\nStealer remains actively maintained by its creator “ping3r,” while Odyssey has inherited and enhanced many of its\r\ncore capabilities including comprehensive browser credential theft, cryptocurrency wallet extraction, and macOS\r\nKeychain password harvesting.\r\nThe malware operators employ “ClickFix” distribution tactics, luring victims through fake macOS App Store\r\nwebsites. Current evidence indicates that while Odyssey/Poseidon and AMOS share common ancestry, they are\r\nbeing developed as competing products in the growing macOS malware-as-a-service ecosystem.\r\nOn a Russian forum, a user expressed interest in Odyssey Stealer. In response, “Rodrigo,” the main developer of\r\nPoseidon Stealer and the former author of AMOS Stealer, commented, “I am here.” This strongly indicates that\r\nOdyssey Stealer is currently maintained by Rodrigo.\r\nhttps://www.cyfirma.com/research/odyssey-stealer-the-rebrand-of-poseidon-stealer/\r\nPage 9 of 13\n\nCONCLUSION\r\nOdyssey Stealer is a macOS-focused infostealer that uses fake software updates (ClickFix tactic) to infect victims.\r\nIt steals cryptocurrency wallet data (including Tron, Electrum, Binance, and others), browser cookies/logins from\r\nChrome, Firefox, and Safari, and targets over 100 browser extensions. The malware collects and compresses\r\nstolen data into ZIP files before sending it to attacker-controlled servers. This sophisticated operation shows clear\r\ntargeting of Western users and demonstrates professional-level data theft capabilities.\r\nMITRE TTPs\r\nTactics Techniques\r\nTA0002: Execution\r\nT1059: Command and Scripting Interpreter\r\nT1059.002: AppleScript\r\nT1204.002: Malicious File\r\nT1064: Scripting T1059: Command and Scripting Interpreter\r\nTA0005: Defense Evasion\r\nT1562.001: Disable or Modify Tools\r\nT1140: Deobfuscate/Decode Files or Information\r\nT1564.001: Hidden Files and Directories\r\nT1070.004: File Deletion\r\nhttps://www.cyfirma.com/research/odyssey-stealer-the-rebrand-of-poseidon-stealer/\r\nPage 10 of 13\n\nTA0006: Credential Access\r\nT1555.00: Keychain\r\nT1555.003: Credentials from Web Browsers\r\nTA0007: Discovery\r\nT1087: Account Discovery\r\nT1082: System Information Discovery\r\nTA0009: Collection T1560: Archive Collected Data\r\nTA0010: Exfiltration T1048: Exfiltration Over Alternative Protocol\r\nIndicators of Compromise\r\nIndicators Remarks\r\nappmacosx[.]com Malicious domain\r\nfinancementure[.]com Malicious domain\r\nappsmacosx[.]com Malicious domain\r\nmacosxapp[.]com Malicious domain\r\nmacosapp-apple[.]com Malicious domain\r\nmacapps-apple[.]com Malicious domain\r\nmacapp-apple[.]com Malicious domain\r\nrepublicasiamedia[.]com Malicious domain\r\nemailreddit[.]com Malicious domain\r\nappmacintosh[.]com Malicious domain\r\ncryptoinfo-news[.]com Malicious domain\r\nmacosxappstore[.]com Malicious domain\r\nmacosx-apps[.]com Malicious domain\r\nmacxapp[.]org Malicious domain\r\ncryptonews-info[.]com Malicious domain\r\ncryptoinfnews[.]com Malicious domain\r\n188[.]92.28.186 Malicious domain\r\n45[.]144.233.192 Malicious domain\r\n83[.]222.190.250 Malicious domain\r\nhttps://www.cyfirma.com/research/odyssey-stealer-the-rebrand-of-poseidon-stealer/\r\nPage 11 of 13\n\n185[.]39.206.183 Malicious domain\r\nodyssey1[.]to Odyssey C2 Panel\r\n45[.]135.232.33 Odyssey C2 Panel\r\n45[.]146.130.129 Odyssey C2 Panel\r\n83[.]222.190.214 Odyssey C2 Panel\r\n5[.]199.166.102 Odyssey C2 Panel\r\nodyssey-st[.]com Odyssey C2 Panel\r\n194[.]26.29.217 Odyssey C2 Panel\r\n185[.]147.124.212 Odyssey C2 Panel\r\n88[.]214.50.3 Odyssey C2 Panel\r\na0bdf6f602af5efea0fd96e659ac553e0e23362d2da6aecb13770256a254ef55 Apple Script\r\nRECOMMENDATIONS\r\nImplement threat intelligence to proactively counter the threats associated with the Odyssey stealer.\r\nTo protect the endpoints, use robust endpoint security solutions for real-time monitoring, and threat\r\ndetection such as Antimalware security suit and host-based intrusion prevention system.\r\nContinuous monitoring of the network activity with NIDS/NIPS and using the web application firewall to\r\nfilter/block suspicious activity provide comprehensive protection from compromise due to encrypted\r\npayloads.\r\nConfigure firewalls to block outbound communication to known malicious IP addresses and domains\r\nassociated with Odyssey stealer command and control servers.\r\nImplement behavior-based monitoring to detect unusual activity patterns, such as suspicious processes\r\nattempting to make unauthorized network connections.\r\nEmploy application whitelisting to allow only approved applications to run on endpoints, preventing the\r\nexecution of unauthorized or malicious executables.\r\nOnly install apps from the official Mac App Store or verified developer sites.\r\nBlock osascript execution unless explicitly required for business operations.\r\nThe use of security benchmarks to create baseline security procedures and organizational security policies\r\nis also recommended.\r\nDevelop a comprehensive incident response plan that outlines steps to take in case of a malware infection,\r\nincluding isolating affected systems and notifying relevant stakeholders.\r\nSecurity awareness and training programs help to protect from security incidents such as social engineering\r\nattacks. Organizations should remain vigilant and continuously adapt their defenses to mitigate the\r\nevolving threats posed by the Odyssey Stealer malware.\r\nhttps://www.cyfirma.com/research/odyssey-stealer-the-rebrand-of-poseidon-stealer/\r\nPage 12 of 13\n\nSource: https://www.cyfirma.com/research/odyssey-stealer-the-rebrand-of-poseidon-stealer/\r\nhttps://www.cyfirma.com/research/odyssey-stealer-the-rebrand-of-poseidon-stealer/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.cyfirma.com/research/odyssey-stealer-the-rebrand-of-poseidon-stealer/" ], "report_names": [ "odyssey-stealer-the-rebrand-of-poseidon-stealer" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434589, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4bc5852ea0c299551482763b81bba0a86c8a5902.pdf", "text": "https://archive.orkl.eu/4bc5852ea0c299551482763b81bba0a86c8a5902.txt", "img": "https://archive.orkl.eu/4bc5852ea0c299551482763b81bba0a86c8a5902.jpg" } }