Cybercriminals Exploit Fake Microsoft Teams Website to Distribute Odyssey macOS Stealer
A sophisticated cyber campaign is currently targeting macOS users by distributing the potent “Odyssey” information stealer through a deceptive website that impersonates the official Microsoft Teams download page. Researchers at CloudSEK’s TRIAD have identified this attack, which employs a social engineering technique known as a “Clickfix” attack. This method tricks victims into executing malicious code that systematically harvests sensitive data, establishes long-term persistence, and even replaces legitimate cryptocurrency applications with trojanised versions. This campaign marks a tactical evolution from a similar attack reported by Forcepoint in early August 2025, where threat actors used a fake TradingView site to deliver the same malware. By shifting their lure to a trusted enterprise application like Microsoft Teams, the attackers are broadening their net to ensnare a wider range of victims.
The attack commences when a user lands on a fraudulent webpage designed to resemble a Microsoft security verification page for Teams. The page instructs the user to resolve a supposed “Unusual Web Traffic” issue by copying a command and pasting it into their macOS Terminal. While the page displays a seemingly harmless command, the “Copy” button actually places a malicious, base64-encoded AppleScript payload onto the user’s clipboard. When an unsuspecting user executes this command, they unwittingly launch the Odyssey stealer. Once active, the malware initiates a multi-stage process to thoroughly compromise the system. It first attempts to gain the user’s password by presenting a fake dialog box that prompts for the device password. This password is then used to access and steal the macOS login keychain and the Chrome browser’s keychain. Odyssey conducts a comprehensive sweep of the infected machine, collecting a vast array of personal and financial information, including data from Apple Notes, Safari, and various cryptocurrency wallets.
Categories: Cybersecurity Threats, Data Theft Techniques, Social Engineering Attacks
Tags: Cyber Campaign, macOS, Odyssey, Information Stealer, Social Engineering, Clickfix Attack, Credential Theft, Data Collection, Cryptocurrency Wallets, Malicious Payload