Evolution of macOS Odyssey Stealer: New Techniques & Signed Malware
Essential information
- Published
- 17/07/2025 16:36
- Modified
- 17/07/2025 20:17
- Tags
- 2025-07-17 amos backdoor code-signing cryptocurrency infostealer macos notarization odyssey odyssey stealer persistence
Description
A new variant of the Odyssey infostealer for macOS has been discovered, featuring code signing, notarization, and a persistent backdoor. The malware mimics a Google Meet updater and uses a SwiftUI-based 'Technician Panel' for social engineering. It steals sensitive data, including passwords, browser information, and cryptocurrency wallet contents. The stealer now includes a second-stage payload that establishes persistence and communicates with a command-and-control server. Notable features include dynamic command execution, network tunneling capabilities, and self-termination mechanisms. The malware also employs anti-analysis techniques to evade researchers. Multiple signed and notarized samples have been identified in the wild, indicating an evolution in the threat actor's tactics.