Odyssey Stealer: Inside a macOS Crypto-Stealing Operation

Odyssey Stealer is a macOS-focused information stealer sold as a MaaS targeting cryptocurrency users: it harvests browser and desktop wallet data, steals macOS credentials and Keychain items, replaces Ledger/Trezor apps with trojanized loaders, and maintains persistence via a LaunchDaemon with a RAT loop and SOCKS5 proxy. The report provides a full technical analysis of payload stages, C2/API endpoints, infrastructure fingerprinting (Censys body/favicon/asset hashes), affiliate build identifiers, numerous IOCs (IPs, domains, file and executable hashes), lineage to Poseidon/AMOS, attribution hints, and actionable detection/mitigation guidance.