216.73.217.50

Evolution of macOS Odyssey Stealer: New Techniques & Signed Malware

· Published 17/07/2025 16:36 · Modified 17/07/2025 20:17

Export JSON

Essential information

Published
17/07/2025 16:36
Modified
17/07/2025 20:17
Tags
2025-07-17 amos backdoor code-signing cryptocurrency infostealer macos notarization odyssey odyssey stealer persistence

Description

A new variant of the for has been discovered, featuring code signing, , and a persistent . The malware mimics a Google Meet updater and uses a SwiftUI-based 'Technician Panel' for social engineering. It steals sensitive data, including passwords, browser information, and wallet contents. The stealer now includes a second-stage payload that establishes and communicates with a command-and-control server. Notable features include dynamic command execution, network tunneling capabilities, and self-termination mechanisms. The malware also employs anti-analysis techniques to evade researchers. Multiple signed and notarized samples have been identified in the wild, indicating an evolution in the threat actor's tactics.

External references