Threat Actors Impersonate Microsoft Teams To Deliver Odyssey macOS Stealer Via Clickfix

CloudSEK (triaged with Forcepoint context) analyzed a clickfix campaign delivering the Odyssey AppleScript stealer to macOS users via impersonated download pages (TradingView/Microsoft Teams). The stealer runs under osascript, harvests keychains, browser data, Apple Notes, numerous desktop and extension crypto wallets, bundles data into /tmp/out.zip and exfiltrates it to a C2 (185.93.89.62/185.93.89.162 paths), establishes persistence via /Library/LaunchDaemons and replaces Ledger Live with a trojanized app; the report provides IOCs, mitigations, and a YARA rule.