Hackers Exploit Fake Microsoft Teams Site to Spread Odyssey macOS Stealer
Security researchers have uncovered a large-scale campaign abusing a fraudulent Microsoft Teams download site to distribute the newly identified Odyssey stealer, a macOS malware family with extensive data theft capabilities. Hosted on the domain teamsonsoft[.]com and designed with convincing Microsoft branding, the site deceives victims into copying a base64-encoded command into Terminal, which deploys a multi-stage AppleScript payload. Once installed, Odyssey harvests detailed system information, repeatedly prompts for device passwords through spoofed dialogs, and exfiltrates Chrome keychain entries, saved credentials, and browsing artifacts. Its most notable feature is broad cryptocurrency support, with compatibility for MetaMask, Electrum, Exodus, Coinomi, Ledger Live, and Trezor Suite, which enables theft of both hot and hardware wallet data. Beyond credentials and wallets, the stealer captures browser cookies, form data, Apple Notes, and other local artifacts, compresses them into password-protected archives, and transmits them to attacker-controlled infrastructure. Odyssey also demonstrates strong persistence and evasion techniques, downloading additional payloads from its command-and-control servers, establishing LaunchDaemon entries for auto-start, and stealthily replacing legitimate applications with trojanized versions to hijack ongoing cryptocurrency transactions. Researchers identified 24 IP addresses associated with the same infrastructure cluster, suggesting a highly organized operation with significant reach. The malware further obscures its presence by deleting temporary files and staging directories after exfiltration, complicating forensic recovery. The shift from earlier TradingView-themed lures to impersonating Microsoft Teams underscores the group’s ability to adapt campaigns to widely used, trusted platforms, increasing both their credibility and success rate. To mitigate, users should only download collaboration software from verified vendor sources, avoid executing installation commands obtained from untrusted sites, and deploy endpoint detection and response tools capable of flagging suspicious AppleScript execution, credential prompts, and unusual data exfiltration patterns.
Update: macOS Users Targeted by Atomic Stealer Hidden in Cracked Software
Atomic macOS Stealer (AMOS) has emerged as one of the most damaging threats against Apple users, leveraging pirated software and social engineering to compromise devices at scale. Distributed primarily through cracked applications promoted on piracy sites, AMOS lures users into downloading malicious DMG installers or executing base64-encoded Terminal commands disguised as verification steps. While Apple’s Gatekeeper successfully blocks unsigned DMGs on macOS Sequoia, attackers increasingly favor Terminal command injection to bypass these controls entirely, exploiting user trust to initiate infections. Once installed, AMOS demonstrates extensive data theft capabilities, targeting browser credentials, cookies, saved passwords, Apple Notes databases, personal files, and cryptocurrency wallet keys. The malware further compromises messaging platforms, including Telegram, exfiltrating sensitive conversations and contact lists to attacker-controlled servers. AMOS operators employ advanced evasion techniques, including frequent domain rotation, virtualization checks to evade researcher environments, and heavy reliance on legitimate macOS utilities to blend into normal system activity. Persistence is achieved by creating hidden files in user directories and establishing LaunchDaemon entries, ensuring execution across reboots. Exfiltrated data is compressed into ZIP archives and transmitted via encoded HTTP POST requests with custom headers, allowing for the tracking of individual victims. The campaign highlights a dangerous evolution in Mac malware, where social engineering rather than technical exploits drives infection success. Security teams are advised to adopt defense-in-depth strategies that extend beyond default macOS protections, enforce strict application control policies, monitor for suspicious Terminal activity, and deploy endpoint detection solutions capable of correlating abnormal behaviors across the entire attack chain to prevent widespread compromise.
Update: Lazarus APT Expands Espionage Campaigns with ClickFix Social Engineering and Custom Malware
The North Korea–linked Lazarus Group, tracked as APT-Q-1 by Qi’anxin, has escalated its espionage campaigns by incorporating the advanced ClickFix social engineering technique into its operations, enabling highly deceptive infection chains that target both Windows and macOS users. Active since at least 2007, Lazarus has steadily shifted from government intelligence collection to attacking financial institutions, cryptocurrency exchanges, and global enterprises. In its latest campaigns, the group lures victims with fraudulent job recruitment portals that simulate interview processes, where users are told their systems have configuration errors and are prompted to download what appears to be a legitimate Nvidia update. Instead of fixing an issue, this update delivers a package containing batch scripts, malicious VBS reconnaissance tools, Node.js-based stealer modules, and a Windows 11-specific backdoor. This approach leverages user trust by disguising malicious code as technical troubleshooting steps, thereby ensuring higher infection success rates. BeaverTail communicates with C2 servers to exfiltrate sensitive data and then deploys the Python-based RAT InvisibleFerret to achieve persistence, maintain access, and conduct further surveillance. The backdoor enables attackers to run arbitrary commands, upload or download files, and harvest system information, while parallel macOS “arm64-fixer” variants replicate the same workflow to ensure multi-platform coverage. These operations highlight Lazarus’s increasing sophistication, blending obfuscation, registry persistence, cross-platform tooling, and cloud infrastructure abuse to sustain long-term access and evade detection. Security teams are urged to implement layered defenses, enforce strict controls against unverified software downloads, and train employees to recognize social engineering ploys embedded in job recruitment lures. Proactive measures, including blocking malicious C2 IPs, monitoring for unauthorized Node.js activity, and applying endpoint detection rules for BeaverTail, are critical to mitigating the growing threat posed by Lazarus’s evolving ClickFix campaigns.
iCloud Calendar Exploited to Deliver Phishing Emails Through Apple’s Own Servers
Threat actors are weaponizing Apple’s iCloud Calendar invite feature to deliver callback phishing scams directly from Apple’s own mail servers, giving the malicious emails an unusual level of legitimacy and enabling them to evade common defenses. In reported incidents, attackers embedded fraudulent payment notices inside the Notes field of a calendar event and then invited external recipients, causing the message to be sent directly from Apple. One widely observed lure claimed that the recipient’s PayPal account had been charged $599, urging them to call a “support” number to resolve the issue. Once victims call, scammers attempt to convince them that their account has been hacked and request that they install remote access tools under the guise of assisting. These tools can then be used to siphon bank funds, steal personal data, or deploy additional malware. The abuse of iCloud Calendar not only bypasses traditional SPF, DKIM, and DMARC checks but also leverages the trust users place in Apple’s domains, dramatically increasing the likelihood of successful delivery. The campaign demonstrates a sophisticated chain of service abuse, where invitations routed through Apple’s servers are subsequently forwarded via Microsoft 365 distribution lists to target groups, with Microsoft’s Sender Rewriting Scheme (SRS) preserving SPF alignment and ensuring the email appears fully authenticated. This layered approach enables otherwise generic callback phishing scams to reach inboxes with reduced filtering risk, making them particularly dangerous to both enterprise and consumer users. Analysts note that while the underlying social engineering is conventional, the use of Apple’s infrastructure provides an added veneer of credibility that could fool even cautious recipients. To mitigate this, organizations should disable automatic calendar invite additions to user calendars, apply enhanced filtering for invitations containing suspicious or unusual text in event notes, and educate employees to ignore or delete unsolicited calendar invitations. End users are strongly advised never to call phone numbers provided in unexpected invoices or system alerts and to verify any billing claims directly with the service provider.
