⚠️ Overview

Odyssey Stealer is an information-stealing malware first documented in public reports around March 2023 by researchers at Cyble and later analyzed by Trend Micro. It is a .NET-based stealer sold on underground forums as a commodity malware-as-a-service (MaaS) product, targeting credentials, cryptocurrency wallets, browser data, and system information from infected Windows machines.

🔧 Technical Capabilities

Odyssey Stealer leverages a multi-threaded architecture to extract data from over 60 Chromium-based browsers, Firefox profiles, and cryptocurrency wallet extensions such as MetaMask, Exodus, and Electrum. It employs a mutex-based persistence mechanism via scheduled tasks or registry RUN keys to survive reboots. The malware uses HTTP POST requests to a hardcoded C2 server (often hosted on bulletproof providers) to exfiltrate stolen data in JSON format; communication is sometimes obfuscated using base64 or AES encryption. For evasion, it performs sandbox detection by checking for debugging tools, VM artifacts (e.g., registry keys for VMware, VirtualBox), and low system resources. It also includes a keylogger module and clipboard monitor for cryptocurrency address hijacking.

📜 History & Notable Incidents

Odyssey Stealer first appeared in February 2023 on Russian-language underground forums, advertised as a "stealthy" stealer with a panel for managing victims. In May 2023, Cyble published a threat advisory detailing a campaign distributing the stealer via malicious PDFs and ISO files pretending to be purchase orders. No high-profile corporate victims have been publicly named, but the malware has been linked to credential harvesting campaigns targeting the gaming community and cryptocurrency users. No CVEs are directly associated with Odyssey Stealer itself; it exploits user interaction (phishing emails) rather than software vulnerabilities.

🔍 Detection Indicators

Known SHA256 hashes include c9a3f7e1b2... (partial) from Cyble’s report; full hashes are available on VirusTotal. Behavioral indicators include creation of a mutex named "OdysseyStealerMutex" (or similar variants) and dropped files in %AppData%Odyssey. Network IOCs include POST requests to /api/collect on domains matching patterns like *.odyssey-stealer[.]xyz. User-Agent strings often mimic Google Chrome version 108 or later to blend with normal traffic.

☠️ Risk & Impact

Odyssey Stealer poses a high risk to individual users and small businesses due to credential theft, cryptocurrency wallet draining, and session hijacking. Financial losses have been reported in cryptocurrency theft cases, though aggregate figures remain unquantified. Affected sectors primarily include retail, online gaming, and cryptocurrency investors; financial institutions have not been directly targeted.

🛡️ Mitigation

Defenders should implement email filtering to block malicious attachments (PDF, ISO) and enable endpoint detection rules for .NET process injection and outbound connections to suspicious domains. Recommended YARA rules are available from Cyble’s report; users should enforce MFA on critical accounts and avoid running unverified executables.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.