A malicious campaign has emerged that abuses a fake Microsoft Teams download site to trick macOS users into installing the powerful Odyssey information stealer, security researchers warn.
The operation was first detailed by analysts at CloudSEK’s TRIAD team, who described the scheme as a sophisticated form of social engineering. Instead of exploiting a vulnerability, attackers rely on users to copy and run a command in their Terminal — unknowingly launching malware that systematically drains personal and financial data.
Disguised as Microsoft Teams
The malicious page looks almost identical to Microsoft’s own Teams portal. Visitors are told that unusual activity has been detected and that they must “verify” their installation. A button on the page claims to copy a harmless command, but in reality it loads a base64-encoded AppleScript into the clipboard.
Anyone who pastes that command into their Terminal ends up executing the script, which immediately deploys the Odyssey stealer.
What Odyssey Does Once Inside
The malware doesn’t waste time. The moment it runs, it asks for the user’s password through a pop-up that looks like a system prompt. The request keeps repeating until the real password is entered. With that password in hand, Odyssey gains access to the macOS keychain and the saved logins inside Chromium and Firefox-based browsers.
From there, the theft widens:
-
Browsers: Safari, Chrome, Edge, Brave, Opera, and Firefox are all targeted for cookies, saved sessions, and stored logins.
-
Extensions: Password managers and crypto wallet plugins, especially MetaMask, are on the list.
-
Cryptocurrency wallets: Well-known apps including Exodus, Electrum, Atomic, Ledger Live, and Trezor Suite are searched and copied. In some cases, the legitimate apps are even deleted and replaced with trojanized versions that give attackers full control over transactions.
-
Personal files: Desktop and Documents folders are scanned for text files, PDFs, documents, wallet backups, and keys.
All of this data is bundled into a file named out.zip and quietly uploaded to a command-and-control server at 185.93.89.62.
Persistence and Tampering
Unlike many smash-and-grab stealers, Odyssey is designed for long-term access. It creates a LaunchDaemon that reloads the malware every time the Mac boots. Using the stolen admin password, it plants itself deep inside the system.
One of the more brazen tactics observed was the removal of the legitimate Ledger Live app. Attackers then replaced it with a malicious copy downloaded from their server, ensuring they could directly intercept hardware wallet activity.
Why It Matters
The consequences for victims go beyond stolen logins. Once persistence is established, attackers maintain a foothold inside the device. That means ongoing surveillance, repeated theft, and potential manipulation of cryptocurrency transactions. For individuals holding digital assets, the financial losses could be devastating.
The attack also shows how threat actors are shifting lures: earlier campaigns relied on fake TradingView sites. Now, by impersonating Microsoft Teams, they are targeting a tool widely used in corporate environments, raising the stakes for both individuals and businesses.
Also Read: New Cryptomining Malware Hides Inside Windows Character Map
How to Stay Protected
Security specialists recommend several defensive steps:
-
Only download Teams from the official site: teams.microsoft.com.
-
Be suspicious of any webpage that asks you to paste commands into Terminal.
-
Monitor for outbound traffic to 185.93.89[.]62 and unusual uploads of ZIP archives.
-
Regularly check
/Library/LaunchDaemons/for suspicious entries. -
If infection is suspected, reset all passwords from a clean device, remove any fake applications, and consider a full macOS reinstall to eliminate backdoors.
Final Take
The Odyssey stealer campaign demonstrates how attackers are combining realistic web forgeries with technical persistence to achieve long-term compromise. By replacing trusted apps and leveraging social engineering, they blur the line between what looks safe and what’s truly malicious.
For macOS users — and especially cryptocurrency holders — this attack is a reminder that vigilance is as critical as antivirus. If a website asks you to copy a command into Terminal, treat it as a major red flag.
