Threat Actors Impersonate Microsoft Teams to Deliver Odyssey macOS Stealer Via Clickfix
September 19th, 2025
High
%20Enables%20Root-Level%20Backdoor%20Acces.jpg)
Our Cyber Threat Intelligence Unit has identified ongoing ClickFix social engineering campaigns distributing the Odyssey macOS stealer. Initially observed in early August 2025 by Forcepoint through a TradingView-themed lure, the campaign has evolved into a Microsoft Teams-themed lure, as reported by CloudSEK in September 2025. Victims are prompted to paste a Base64-encoded AppleScript command into macOS Terminal, deploying Odyssey. Once active, the stealer harvests credentials, browser cookies, Apple Notes, and cryptocurrency wallets, staging the data into /tmp/out.zip before exfiltration to attacker-controlled C2 infrastructure. Persistence is achieved via LaunchDaemons, and the malware can replace Ledger Live with a trojanized version to maintain long-term financial theft capabilities. This campaign presents severe risks to macOS users and can lead to credential compromise, financial loss, and reinfection.
Technical Details
Attack Type: Financially motivated info-stealer delivery & data theft on macOS.
Severity: High.
Delivery Method: ClickFix phishing/social engineering via fake download pages (TradingView, Microsoft Teams).
Affected Products: macOS systems (Safari, Chrome, Firefox, Brave), Apple Notes, Keychain, multiple crypto wallets (desktop and extension-based, including Ledger Live, Electrum, Exodus, MetaMask, etc.)
Execution:
Base64-encoded AppleScript executed via Terminal (osascript.)
Obfuscated AppleScript silently harvests credentials, browser cookies, Apple Notes, and crypto wallets.
Data staged into /tmp/out.zip and exfiltrated via curl.
Persistence via /Library/LaunchDaemons/com.<random>.plist
Replacement or tampering of Ledger Live.app with a trojanized build.
Impact
Credential Theft: Browser logins, autofill data, keychains, crypto wallet credentials.
Data Exfiltration: Notes, screenshots, and up to ~10 MB of personal files from Desktop/Documents.
Financial Theft: Direct compromise of cryptocurrency wallets (desktop + extension + Ledger Live tampering).
Persistence/Reinfection: System-level LaunchDaemon ensures a long-term foothold and reinfection risk.
Detection Method
Network Traffic:
Monitor for curl POSTs with zipped data to suspicious IPs/domains.
DNS/proxy logs for access to TradingView lookalikes or fake Microsoft Teams domains.
Endpoint Behavior:
Monitor for osascript executions tied to Base64 payloads.
Look for creation of /Library/LaunchDaemons/com.<random>.plist
File access attempts to Keychain, Apple Notes, or wallet directories.
File & Process Monitoring:
Detect trojanized Ledger Live installation under /Applications
Flag unexpected file artifacts (~/.pwd, ~/.username, ~/.chost, ~/.botid)
User Awareness:
Detect abnormal access following phishing-themed Teams/TradingView lures.
Indicators of Compromise
Type | Indicator | Description |
|---|---|---|
IP / C2 | 185.93.89[.]162 | Seen in campaign traffic |
Domain / Lure | teamsonsoft[.]com | Fake Microsoft Teams download page |
Hash SHA-256 | 9c520fa25239c0f116ce7818949ddce5fd2f315317863715416cb4886c5aeb2 | Odyssey sample |
Hash SHA-256 | 7a8250904e6f079e1a952b87e55dc87e467cc560a2694a142f2d6547ac40d5e1 | Odyssey sample |
Hash SHA-256 | d81cc9380673cb36a30f2a84ef155b0cbc7958daa6870096e455044fba5f9ee8 | Odyssey sample |
Hash SHA-256 | 397ee604eb5e20905605c9418838aadccbbbfe6a15fc9146442333cfc1516273 | Odyssey sample |
Hash SHA-256 | 909038524250903a44efd734710e60a8f73719130176c726e58d3287b22067c8 | Odyssey sample |
URL | hxxp://185.93.89[.]162/log | Data exfil endpoint |
URL | hxxp://185.93.89[.]162/otherassets/plist/ | Malicious plist payload |
URL | hxxp://185.93.89[.]162/otherassets/ledger.zip | Trojanized Ledger Live |
Recommendations
Network Controls: Block access to listed IOCs; monitor for curl POSTs with zip uploads.
Endpoint Hunting: Audit /Library/LaunchDaemons/ for suspicious plists; search for trojanized Ledger Live.app.
Credential Hygiene: Reset Apple ID, browser, and wallet passwords; reissue keys from uncompromised systems.
Containment & Recovery: Remove trojanized apps; wipe /tmp/out.zip artifacts; rebuild compromised endpoints if persistence cannot be reliably removed.
User Awareness: Train staff to avoid pasting commands from unverified “support/download” pages.
Conclusion
The Odyssey campaign highlights the rapid adaptation of financially motivated actors, who shifted from TradingView to Microsoft Teams lures within weeks to maximize victim exposure. By exploiting trusted brand identities and using ClickFix instructions, the attackers bypass standard defenses and rely on user-driven actions to establish control. The combination of credential theft, cryptocurrency wallet compromise, and persistence techniques makes Odyssey a high-impact macOS stealer. We urge organizations to prioritize user awareness training, strengthen endpoint detection and response, and actively monitor for related IOCs to mitigate risks associated with this ongoing campaign.