{ "id": "3a333ecb-2a5b-4a38-b4ad-2fff1c06541b", "created_at": "2026-04-06T01:30:08.947824Z", "updated_at": "2026-04-10T03:35:29.156479Z", "deleted_at": null, "sha1_hash": "be4069bc5bae6ca8a4f243c99cb65d1de4d4e294", "title": "A taxonomy of Mac stealers: Distinguishing Atomic, Odyssey, and Poseidon", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 107552, "plain_text": "A taxonomy of Mac stealers: Distinguishing Atomic, Odyssey, and\r\nPoseidon\r\nBy susannah.matt@redcanary.com\r\nPublished: 2025-10-09 · Archived: 2026-04-06 00:17:20 UTC\r\nAt this point, the threat of macOS-based threats has been well-documented. In 2024, Red Canary noted a surge in\r\nadversaries targeting macOS devices to obtain sensitive data from browsers, extensions, and other applications,\r\nbut 2025 has seen a continued fracturing of those families.\r\nThe macOS stealer landscape in particular is dominated by a few key players whose similarities can often make\r\nthem challenging to distinguish. Poseidon Stealer, prominent during 2024 and early 2025, was sold and rebranded\r\nas Odyssey Stealer, an evolution that saw it share significant code and features with another prevalent stealer,\r\nAtomic Stealer (aka AMOS).\r\nhttps://redcanary.com/blog/threat-intelligence/atomic-odyssey-poseidon-stealers/\r\nPage 1 of 8\n\nWhile their core functionalities and targets remain the same, there’s been enough subtle changes over the past 10\r\nmonths, it felt like a good time to dig into the dynamic world of macOS stealers, tracing the lineage and technical\r\nnuances of Atomic, Poseidon, Odyssey, highlighting how these threats adapt to defensive measures, circumvent\r\nsystem protections, and why granular analysis is crucial for effective protection.\r\nAppleScript: The universal language of compromise\r\nOne of the primary reasons macOS stealers like Atomic, Poseidon, and Odyssey bear such striking resemblances\r\nis their shared reliance on AppleScript.\r\nAppleScript, a powerful scripting language built directly into macOS, is designed to automate tasks, control\r\napplications, and interact with various system components. For legitimate users, it’s a tool for efficiency and\r\ncustomization. For adversaries, the native integration represents a golden opportunity. Because AppleScript is a\r\nhttps://redcanary.com/blog/threat-intelligence/atomic-odyssey-poseidon-stealers/\r\nPage 2 of 8\n\nbuilt-in part of the operating system, scripts can often bypass conventional security checks that might flag\r\nexternal, less trusted executables. The system is inherently designed to trust its own components, and AppleScript\r\nfalls into that category.\r\nA cybercriminal writing a stealer in AppleScript is akin to a Windows threat actor coding an entire stealer using\r\nPowerShell. Both languages leverage built-in functionalities and benefit from the system’s trust, making them\r\nharder to detect by traditional signature-based methods and less likely to trigger immediate alerts from endpoint\r\ndetection and response (EDR) solutions.\r\nGet detection opportunities for malicious AppleScript activity in Red Canary’s Threat Detection Report.\r\nThis foundation means that many of these stealers present a very similar operational footprint—a cascade of\r\nAppleScript commands designed to scour a system for valuable data—making differentiation a challenge for\r\nsecurity analysts presented with raw endpoint telemetry.\r\nA shared heritage: Similarities between Atomic and Poseidon\r\nAtomic and Poseidon have consistently topped the list of popular macOS stealers. What makes the two\r\nparticularly intriguing is an alleged history of collaboration, code sharing, and, in some cases, outright copying.\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nWhile minor elements such as specific file names used during their operation might differ, the core AppleScript\r\nlogic—the sequence of commands, the methods for data retrieval, and the general structure of the malicious code\r\n—remain largely identical. This genetic overlap has presented a headache for security researchers and incident\r\nresponders. Without direct access to the malware’s command-and-control (C2) infrastructure, distinguishing\r\nbetween Atomic and Poseidon based solely on endpoint telemetry can be a difficult task.\r\nThe core challenge for defenders has become finding subtle, yet reliable, indicators that can precisely attribute a\r\nstealer to a specific family. Such granular attribution is vital for informing threat intelligence, understanding\r\nadversary tactics, and ultimately enabling more precise detection and mitigation strategies.\r\nhttps://redcanary.com/blog/threat-intelligence/atomic-odyssey-poseidon-stealers/\r\nPage 3 of 8\n\nA brief calm: Gatekeeper’s intervention and Poseidon’s retreat\r\nThe narrative of macOS stealers isn’t just about their internal evolution; it’s also a story of a continuous cat-and-mouse game with Apple’s security enhancements. A significant turning point occurred in fall 2024. Prior to this, a\r\nvulnerability existed in macOS that allowed the bypass of Apple’s Gatekeeper, something adversaries frequently\r\nleveraged for their initial deployment of Atomic and Poseidon onto systems.\r\nGatekeeper is a fundamental macOS security feature designed to ensure that only approved software—\r\nspecifically, applications that have been signed by a registered developer and notarized by Apple—can execute.\r\nBefore Apple fixed this, there was a trivial way to bypass Gatekeeper; users could right-click on an executable and\r\nrun it, circumventing its protective mechanisms.\r\nWhile simple, the method was so effective and widely abused that malicious DMGs (disk images) distributing\r\nAtomic Stealer even included background images with explicit instructions, coaching unsuspecting users to right-click and “Open” the malicious application rather than double-click, which would have triggered Gatekeeper’s\r\nwarning.\r\nThe narrative of macOS stealers isn’t just about their internal evolution; it’s also a story of a continuous\r\ncat-and-mouse game with Apple’s security enhancements.\r\nThis era of easy bypass, a golden age for macOS stealer deployment, came to an abrupt end when Apple shipped a\r\ncrucial update to macOS in October 2024 that successfully patched this critical Gatekeeper vulnerability.\r\nSimultaneously, a notable shift occurred in the cybercriminal underground: the persona behind Poseidon, known\r\nas “Rodrigo4,” reportedly decided to exit the game, selling off his stealer and supposedly retiring from the\r\nmalicious activity.\r\nThis confluence of events led to a relative period of silence from macOS stealers lasting from October 2024 to\r\nabout March 2025. The primary Gatekeeper bypass was closed, significantly hindering traditional deployment\r\nmethods, and one of the two dominant stealer families was seemingly out of business. It was a brief, welcome,\r\nrespite that highlighted the impact that both platform-level security improvements and the volatile, often\r\nunpredictable, nature of the cybercriminal market can have.\r\nRe-emergence and evolution: The birth of Odyssey and Atomic’s catch-up\r\nThe period of calm proved to be short-lived. Stealer activity on macOS started back up again in March 2025,\r\nsignaling a renewed and adapted threat. This resurgence was marked by a shift in deployment methodologies.\r\nWith the Gatekeeper bypass firmly closed, adversaries were forced to innovate and find new ways to trick users\r\ninto executing their malware. This led to widespread adoption of paste-and-run or “ClickFix” methodologies\r\nrelying heavily on user interaction and exploiting human trust rather than technical vulnerabilities for initial\r\naccess.\r\nCrucially, this period also saw the re-emergence of a familiar threat under a new guise: Odyssey Stealer.\r\nWhen the developer behind Poseidon Stealer, Rodrigo4, sold the stealer In the fall of 2024, it turned out to be a\r\ntemporary hiatus, or it could be argued, a tactical rebranding.\r\nhttps://redcanary.com/blog/threat-intelligence/atomic-odyssey-poseidon-stealers/\r\nPage 4 of 8\n\nOdyssey, in essence, is a sophisticated variation or updated iteration of the original Poseidon, designed\r\nto operate in the post-Gatekeeper bypass era.\r\nThis is consistent with Red Canary Intelligence’s observations. Poseidon did not appear in Red Canary’s data from\r\nNovember 2024 until March 2025. From March 2025 until September 2025, Red Canary associated newer\r\nOdyssey stealer instances with Poseidon’s profile as Odyssey is an evolution of Poseidon.\r\nThis new generation of stealers wasn’t merely a re-skinning of old code. Odyssey Stealer brought with it a host of\r\nenhanced capabilities designed specifically to evade detection, improve resilience, and ensure persistence on\r\ncompromised systems. These new features included:\r\nAnti-sandboxing mechanisms: Tools and logic to detect and avoid execution within analysis\r\nenvironments like virtual machines or emulators, thereby frustrating security researchers.\r\nPersistence with launch daemons: Leveraging macOS’s launchd system—a core service management\r\nframework—to ensure the stealer runs automatically after system reboots and maintains its presence on the\r\nmachine.\r\nBotnet component: Adding functionality for persistent remote execution and control, indicating a move\r\ntowards more complex capabilities beyond simple, one-time data exfiltration. This suggests the ability for\r\nongoing surveillance or multi-stage attacks.\r\nThe threat landscape is a highly competitive one, even among cybercriminals. Shortly after Odyssey introduced\r\nthese new, advanced features, Atomic Stealer worked the same features into their tools, underscoring the\r\ncontinuous arms race as well as the quick adoption and integration of effective new techniques within the\r\nmalicious ecosystem.\r\nThe devil in the details: Distinguishing stealers at the endpoint\r\nGiven the similarities in AppleScript and the rapid feature adoption that saw both Atomic and Odyssey\r\nincorporating similar capabilities, how can defenders accurately distinguish between these evolving threats\r\nwithout relying on external C2 intelligence that may be difficult to obtain?\r\nMinor distinctions appear in the HTTP request headers that these stealers generate:\r\nCase sensitivity: Atomic’s  curl commands often contain BuildID (with a capital B and ID ),\r\nOdyssey’s often shows buildid (lowercase b and id ). While trivial, these case differences can be\r\nindicative of the stealer family.\r\nHeader variations: Atomic’s commands often contain a generic user header, whereas Odyssey specifies\r\nusername. Additional commands, including cl: 0 , a custom HTTP header likely used to identify the\r\ncompromised machine and cn: 0 , another custom HTTP header included in the request to the\r\nadversaries’ server, have also been spotted; Red Canary has observed them in Atomic Stealer but not\r\nothers, providing further points of distinction.\r\nRed Canary has also observed Odyssey and Atomic differ slightly when it comes to their choice of file names,\r\nURLs, and command-line options for exfiltration using curl , seen in the table below.\r\nhttps://redcanary.com/blog/threat-intelligence/atomic-odyssey-poseidon-stealers/\r\nPage 5 of 8\n\nShared tactics and evolving anti-analysis techniques\r\nDespite these differences, these macOS stealers share many tactical similarities, indicating a common\r\nunderstanding of valuable targets and effective evasion methods. Both Atomic and Odyssey, for instance, typically\r\ntarget the same software families, often focusing on high-value data sources like browser extensions (which can\r\nstore cookies, session tokens, and cached credentials), cryptocurrency wallets, and other applications holding\r\nsensitive personal and financial information. They also exhibit similar file-name patterns when collecting data\r\nfrom common user directories like desktop and documents, suggesting standardized approaches to data\r\nreconnaissance and collection.\r\nHowever, their evolution also reflects a growing sophistication in anti-analysis techniques, designed to thwart\r\nsecurity researchers and automated sandboxes.\r\nUsername checks\r\nSome stealers, including Odyssey, might include logic to check for specific usernames such as maria ,—\r\nVirusTotal’s macOS sandbox— jackiemac , or root —Triage, Recorded Future’s macOS sandbox name.  By\r\ndetecting these common sandbox usernames, the malware can choose not to execute its full payload or to behave\r\nbenignly, effectively evading dynamic analysis and revealing its true malicious intent only on genuine victim\r\nsystems.\r\nHardware-based sandboxing evasion\r\nA particularly advanced and effective technique involves checking the system’s processor architecture. Newer\r\nvariants of Atomic often have mechanisms in place where it refuses to run on macOS systems with an Intel\r\nprocessor. This is a clever evasion tactic because many sandbox systems available for macOS systems use Intel\r\nCore processors. By explicitly targeting ARM architecture execution only (i.e., Apple’s silicon Macs), these\r\nstealers can bypass a significant portion of automated analysis environments, ensuring the malicious payload is\r\nonly delivered and executed on genuine consumer systems running newer hardware, where detection might be less\r\nmature.\r\nDeployment method evolution: From DMGs to bash scripts\r\nThe methods of initial access for macOS stealers have undergone a transformation, primarily driven by Apple’s\r\ncontinuous improvements to its built-in security features, most notably Gatekeeper.\r\nOver the last several months, these stealers have shifted their focus to “paste and run” or “ClickFix”\r\nmethodologies; this involves tricking users into executing commands directly in the terminal, often through\r\nvarious deceptive means:\r\nFake Homebrew websites, repositories on GitHub\r\nThreat actors create fraudulent websites that mimic legitimate software repositories or package managers, such as\r\nHomebrew. These sites then prompt users to copy and paste seemingly benign installation commands into macOS\r\nhttps://redcanary.com/blog/threat-intelligence/atomic-odyssey-poseidon-stealers/\r\nPage 6 of 8\n\nTerminal, which secretly downloads and executes the stealer.\r\nDirect bash scripts\r\nAdversaries don’t even have to deploy executable binaries; they can lure users to execute a bash script directly,\r\nsometimes via a simplified  curl in bash command. By executing a command directly in Terminal, it bypasses\r\nGatekeeper; the sequence downloads a script from a remote server and immediately pipes it into the bash\r\ninterpreter, executing it without ever saving it to disk or triggering Gatekeeper.\r\nThis highlights the importance of robust user education regarding Terminal commands and the need for advanced\r\nendpoint detection solutions that can scrutinize and analyze terminal activity for suspicious patterns, not just file\r\nexecution.\r\nRemediation: Consistency amidst differentiation\r\nWhile distinguishing between stealer families with detail is crucial for threat intelligence, tracking, and proactive\r\ndefense, the immediate remediation steps for compromised macOS systems largely remains consistent regardless\r\nof the specific stealer identified.\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nA successful stealer compromise, by nature, indicates a deep compromise of user data and system integrity. That\r\nmeans effective remediation typically necessitates the following.\r\nOperating system reset/re-imaging\r\nThis is often the most secure approach to ensure all malicious components, including any persistence mechanisms\r\nlike launch daemons or hidden files, are completely removed from the system.\r\nCredential resets\r\nhttps://redcanary.com/blog/threat-intelligence/atomic-odyssey-poseidon-stealers/\r\nPage 7 of 8\n\nAll accounts accessed or potentially exfiltrated by the stealer must have their passwords reset. This includes\r\nbrowser logins, iCloud accounts, email accounts, financial services, and any other sensitive services the user\r\naccessed from the compromised machine.  This may also include re-issuing certificates or keys and revoking any\r\nexisting logon sessions as these stealers can exfiltrate many kinds of files and browser cookies. Multi-factor\r\nauthentication should also be enabled or reviewed for all critical accounts.\r\nSecurity posture review\r\nA thorough post-incident analysis is essential. This involves identifying the initial vector of compromise (e.g.,\r\nsocial engineering, drive-by download) to understand how the stealer gained access. This information is crucial\r\nfor implementing preventative measures and patching security gaps to prevent similar incidents in the future.\r\nConsider educating users on Transparency, Consent, and Control (TCC) controls in macOS and presenting\r\nscenarios when users may not want to bypass TCC to preserve their own security and privacy.\r\nStaying ahead in the macOS security race\r\nThe evolution of macOS stealers like Atomic, Poseidon, and Odyssey paints a clear picture of an increasingly\r\nsophisticated, adaptable, and persistent threat landscape.\r\nWhile immediate remediation actions for a compromised system often remain consistent, regardless of the specific\r\nstealer involved, the ability to precisely differentiate between stealer families at the endpoint can help defenders.\r\nBeing able to perform a more granular analysis—particularly through the examination of subtle C2\r\ncommunication parameters and evolving deployment methods—can help enable the more accurate threat\r\nintelligence, attribution of attacks to specific groups, and facilitate the creation of proactive, adaptive security\r\nstrategies.\r\nSource: https://redcanary.com/blog/threat-intelligence/atomic-odyssey-poseidon-stealers/\r\nhttps://redcanary.com/blog/threat-intelligence/atomic-odyssey-poseidon-stealers/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://redcanary.com/blog/threat-intelligence/atomic-odyssey-poseidon-stealers/" ], "report_names": [ "atomic-odyssey-poseidon-stealers" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439008, "ts_updated_at": 1775792129, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/be4069bc5bae6ca8a4f243c99cb65d1de4d4e294.pdf", "text": "https://archive.orkl.eu/be4069bc5bae6ca8a4f243c99cb65d1de4d4e294.txt", "img": "https://archive.orkl.eu/be4069bc5bae6ca8a4f243c99cb65d1de4d4e294.jpg" } }