Cybersecurity

Recent cyber-attacks on macOS users have escalated with a new campaign using a fake Microsoft Teams download site to distribute the Odyssey stealer malware. This marks an evolution from previous attacks which focused on fraudulent trading platforms.

Initially identified in early August 2025, attacks were documented using fake TradingView sites to deliver the malware. However, threat intelligence platform TRIAD by CloudSEK has found that attackers have expanded their methods to impersonate Microsoft Teams, a widely used collaboration platform.

The attackers registered the domain teamsonsoft[.]com, using official Microsoft branding to mislead users. Researchers identified 24 IP addresses linked to the same malicious infrastructure cluster, indicating a large-scale operation.

The attack employs a “clickfix” methodology, exploiting user trust in legitimate software. Users attempting to download Microsoft Teams from the fraudulent site are presented with a command to execute in their Terminal application.

For macOS users, executing this command runs a base64-encoded payload that launches an AppleScript-based stealer. The malware extracts sensitive data using legitimate system functions to evade detection.

Comprehensive Data Theft Capabilities

The Odyssey stealer is sophisticated in its data collection, targeting system reconnaissance using the system_profiler utility to gather hardware and software details. It focuses on credential theft, accessing Chrome keychain items, and using fake dialogs to obtain user passwords for higher privileges.

The malware targets cryptocurrency assets, extracting data from numerous wallets and extensions, including MetaMask, Electrum, Exodus, and Ledger Live. It also collects browser cookies, saved passwords, and Apple Notes databases.

Odyssey employs several persistence mechanisms, downloading extra payloads and using LaunchDaemons to maintain access after system restarts. It replaces legitimate Ledger Live applications with trojanized versions to intercept cryptocurrency transactions.

Data is compressed into a ZIP archive and sent to the attacker’s server at IP address 185.93.89[.]62. The infrastructure also hosts additional malicious payloads and a login panel for the operation. Post data transmission, the malware attempts to remove evidence to hinder forensic analysis.

Implications and Recommendations

This campaign highlights sophisticated attacks on macOS users, combining social engineering with advanced evasion techniques. Users should verify software download sources and avoid executing unfamiliar commands. Organizations should implement endpoint detection solutions to identify suspicious activities.

The targeting evolution from TradingView to Microsoft Teams suggests these threat actors will continue adapting to exploit popular platforms, necessitating ongoing vigilance for users and security teams.