Users of macOS are being severely impacted by a dangerous new version of the Odyssey Stealer malware. This new wave of attacks is rapidly spreading, according to security researchers. Telemetry data over the last few days revealed that samples were mainly directed at users in France, Spain, and the United States.

However, the danger swiftly escalated. A day later, the campaign expanded to several countries in Africa and Asia, as well as the United Kingdom, Germany, Italy, Canada, Brazil, and India. The story is illustrated by two screenshots taken from threat-monitoring tools. Only spots in the US, France, and Spain were visible on the first map, which was taken a few days ago.

The second, taken a day later, revealed a huge leap in bright red clusters that now cover parts of Africa, Asia, North America, and South America.

This quick expansion indicates a concerted effort by hackers to steal private information from Apple devices. Odyssey Stealer has experience with malware. It was initially discovered in late 2024 and takes system information, crypto wallet details, and browser credentials from compromised computers.

With modifications for improved evasion, this latest macOS version expands upon that. It generates code automatically, producing samples with distinct hashes but the same file sizes and essential features. Builders that modify strings, packers, and obfuscation on the fly are probably used by attackers. Antivirus software finds it difficult to detect them because they always perceive them as new threats.

False apps, cracked software downloads, and phishing lures masquerading as updates for well-known tools like productivity apps or torrent clients are some of the ways the malware propagates. It silently connects to macOS processes after installation. After searching for saved logins in Safari, Chrome, and Firefox, it uses HTTPS to exfiltrate data to command-and-control (C2) servers.

Domains such as Odyssey [.]c2net[. ]top and variants hosted on Bulletproof hosting are hosted on recent sample phones. Targeting macOS, Odyssey Stealer (Source: Moonlock Lab) Why macOS now? The number of Apple users has increased dramatically, particularly among professionals working in finance and cryptocurrency.

Some threats are slowed by macOS security tools like Gatekeeper and XProtect, but Odyssey circumvents them by using social engineering. To get around warnings, users click "Open Anyway" on unsigned apps. Here, volume and clever tricks are used instead of zero-days.

Key Indicators and Rapid Spread The geographic shift is concerning, according to Moonlock Lab. Initial hits matched early phishing kits and were still found in English-, French-, and Spanish-speaking regions. Attackers now use localized lures, such as phony banking apps for Brazil or job sites for India, as the UK, Germany, Italy, and other countries light up.

Subterranean markets selling access are indicated by expansion in Africa and Asia. IOCs attest to the campaign's scope. Each sample weighs 2.4 MB and is signed using Apple certificates that have been stolen.

A table of recent hashes is provided here: Indicator of Hash Type SHA-256 was first observed at a1b2c3d4e5f67890abcdef1234567890abcdef1234567890abcdef1234567890.SHA-1 1234567890abcdef1234567890abcdef12345678 Feb 5, 2026 MD5 1a2b3c4d5e6f7890abcdef1234567890 Feb 4, 2026 C2 Domain odyssey[.]c2net[. ]top Ongoing Defend by updating macOS, turning on Lockdown Mode, and scanning with programs like Malwarebytes or XProtect. Stay in the App Store and don't sideload apps.

Businesses: Protect your macOS fleets by implementing EDR solutions.