{
  "name": "Evolution of macOS Odyssey Stealer: New Techniques & Signed Malware",
  "slug": "evolution-of-macos-odyssey-stealer-new-techniques-signed-malware",
  "description": "A new variant of the Odyssey infostealer for macOS has been discovered, featuring code signing, notarization, and a persistent backdoor. The malware mimics a Google Meet updater and uses a SwiftUI-based 'Technician Panel' for social engineering. It steals sensitive data, including passwords, browser information, and cryptocurrency wallet contents. The stealer now includes a second-stage payload that establishes persistence and communicates with a command-and-control server. Notable features include dynamic command execution, network tunneling capabilities, and self-termination mechanisms. The malware also employs anti-analysis techniques to evade researchers. Multiple signed and notarized samples have been identified in the wild, indicating an evolution in the threat actor's tactics.",
  "published": "2025-07-17T14:36:09+00:00",
  "created_at": "2025-07-17T14:36:09+00:00",
  "modified_at": "2025-07-17T18:17:43+00:00",
  "created_at_opencti": "2025-07-17T14:36:09+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-07-17",
    "amos",
    "backdoor",
    "code-signing",
    "cryptocurrency",
    "infostealer",
    "macos",
    "notarization",
    "odyssey",
    "odyssey stealer",
    "persistence"
  ],
  "related_entities": {},
  "external_refs": [
    "https://www.jamf.com/blog/signed-and-stealing-uncovering-new-insights-on-odyssey-infostealer",
    "https://otx.alienvault.com/pulse/68792679d13c814d91c9c973"
  ]
}