- Home
- Z7 Cyber intelligence
- Odyssey Stealer
Odyssey Stealer
CLASSIFICATION
HIGH
The macOS Infostealer Redefining Credential Theft at Scale
Access the TLP:AMBER intelligence deep dive into Odyssey Stealer a highly sophisticated Malware-as-a-Service operation actively bypassing macOS defenses to target enterprise credentials, software developers, and financial assets.
The Intelligence Baseline
Countries impacted within a single 24-hour surge
Browser wallet extensions actively targeted
Browser wallet extensions actively targeted
Physical C2 hosts mapped to Helsinki infrastructure
ClickFix Exploitation and Full RAT Deployment
Odyssey has abandoned traditional execution methods, aggressively adopting the “ClickFix” social engineering technique which accounted for 47% of all social engineering attacks in 2025. By deceiving users into pasting Base64-encoded payloads into the macOS Terminal, it bypasses automated security controls and drops a persistent, second-stage backdoor.
Inside the Verified Intelligence Report
- Full RAT Capabilities
- Deep Credential Harvesting
- Supply Chain Trojanization
- Advanced Anti-Analysis
Responding to the Global Surge
Between February 5 and 6, 2026, Moonlock Lab telemetry confirmed a dramatic escalation, with Odyssey Stealer infections spreading to more than 30 countries across the globe within a 24-hour window. As the threat actor strips identifying branding from newer C2 panels to obscure attribution, enterprise security teams must move decisively.
Download the complete Z7 Threat Intelligence Deep Dive to access comprehensive Indicators of Compromise (IOCs), deployable SOC Prime SIEM detection rules, and urgent remediation guidance regarding mandatory updates to macOS Tahoe 26.3 and Apple XProtect definitions.