A new campaign linked to the Odyssey Stealer malware family has been identified, leveraging Apple Developer ID certificates fraudulently issued to malicious actors, allowing them to distribute fully undetected (FUD) DMGs that bypass security scans.
Researchers have uncovered a malicious DMG file (SHA256: a031ba8111ded0c11acfedea9ab83b4be8274584da71bcc88ff72e2d51957dd7) signed with a suspicious Developer ID certificate under the name “THOMAS BOULAY DUVAL” (Team ID: J97GLQ5KW9).
This identity appears fabricated, mirroring a trend previously observed when another malicious app was signed using the same name, “Alina Balaban (3GUHMVK4XV).”
Attackers deliberately embed parts of the certificate holder’s name into their app identifiers, creating a misleading sense of legitimacy. Examples include “balaban.sudoku” and “thomas.parfums”.
Once launched, the trojanized DMG retrieves a malicious AppleScript payload from remote infrastructure. The script, hosted on franceparfumes[.]org/parfume and linked to IP 185.93.89.62, initiates execution of Odyssey Stealer components.
The stealer is designed to exfiltrate sensitive data, including browser-stored credentials, session cookies, and cryptocurrency wallet information.
While the abuse of EV code signing has been seen predominantly in Windows malware campaigns, this discovery reinforces that Apple’s Developer ID ecosystem is also a target.
Gaining access to an EV certificate is typically expensive and requires strict validation, making them rare and valuable assets in the cybercriminal underground.
Once obtained, however, these certificates enable attackers to distribute malware that appears to be a legitimate macOS application, allowing it to bypass Gatekeeper checks and gain user trust.
The use of signed DMGs also hinders traditional antivirus and gateway detection, as many engines initially mark them as safe.
In this case, the sample was reported as fully undetected across VirusTotal scans at the time of discovery, highlighting the effectiveness of EV signing in evading standard defenses.
Apple’s code signing revocation process plays a key role in mitigating such abuse. Once a certificate is confirmed to be malicious, it can be swiftly revoked, preventing further execution on macOS.
However, the delay between discovery and revocation provides a valuable operational window for attackers to conduct infections.
With this campaign, operators behind Odyssey Stealer are clearly investing significant resources into strengthening their distribution mechanisms.
By purchasing high-cost EV certificates and combining them with social engineering techniques, such as branding apps with misleading identities, the threat actors aim to extend the lifespan of their payload delivery before takedowns.
As researchers track these fraudulent certificates, revocations are expected to disrupt the ongoing campaign. However, the continued abuse of EV signing demonstrates cybercriminals’ determination to undermine trust-based security mechanisms across both Windows and macOS ecosystems.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Cybercriminals Use EV Code Signing to Hide DMG Malware from Detection appeared first on Cyber Security News.
There is a certain kind of technology conversation that is everywhere in 2026: louder, faster,…
A newly discovered variant of the PlugX worm is silently crossing borders by hiding inside…
A live credential stuffing botnet targeting Twitter/X accounts has been found completely exposed to the…
OpenAI’s Codex AI model successfully escalated privileges to root on a real Samsung Smart TV…
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding a critical…
A new malware campaign involving a Remote Access Trojan called Janela RAT has been actively…
This website uses cookies.