← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
omeone Is Stealing From the Stealers: A Backdoored Odyssey macOS Panel Leaks Operator Credentials to http://scan-tron.link.
A recent investigation revealed a sophisticated cyber threat involving the Odyssey macOS stealer panels, particularly highlighting a backdoored version that exfiltrates operator credentials without their knowledge. Security researchers tracked two panels operating on the same Kazakhstan subnet, discovering that one, specifically at the IP address 86.54.25.202, contains a 960-byte credential harvester embedded within its JavaScript bundle. This malicious addition intercepts the operator's login details each time they authenticate, sending the stolen credentials to a receiver at http://scan-tron.link. Meanwhile, the other panel at 86.54.25.204 is uninfected, running a slightly newer software version
MITRE ATT&CK & Malware Families
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| CIDR | 86.54.25.0/24 | — | 2026-04-26 | |
| FileHash-SHA256 | 6c0c64c2da550ecab6eb9b855afe2833fde8f928a37168b7e4527665a9a7ae47 | — | 2026-04-26 | |
| FileHash-SHA256 | 95c17869073bff8a045083315c97583cb0d4f4c19165e657ed584ef7e16868a1 | — | 2026-04-26 | |
| URL | http://static.cloudzy.com | — | 2026-04-26 | |
| URL | http://your-server.com | — | 2026-04-26 | |
| URL | https://scan-tron.link/c | — | 2026-04-26 | |
| URL | https://scan-tron.link/c?d= | — | 2026-04-26 | |
| URL | https://scan-tron.link/l | — | 2026-04-26 | |
| URL | https://scan-tron.link/l?d= | — | 2026-04-26 | |
| YARA | 9473e4fa3bae1892127de4875a684f97f194667f | Odyssey macOS stealer panel JS bundle | 2026-04-26 | |
| domain | scan-tron.link | — | 2026-04-26 | |
| domain | vash-server.com | — | 2026-04-26 | |
| hostname | 185.23.189.107.static.cloudzy.com | — | 2026-04-26 |