← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
omeone Is Stealing From the Stealers: A Backdoored Odyssey macOS Panel Leaks Operator Credentials to http://scan-tron.link.
WHITE PetrP.73 2026-04-26 Modified: 2026-05-26
13
IOCs
MEDIUM VOLUME
A recent investigation revealed a sophisticated cyber threat involving the Odyssey macOS stealer panels, particularly highlighting a backdoored version that exfiltrates operator credentials without their knowledge. Security researchers tracked two panels operating on the same Kazakhstan subnet, discovering that one, specifically at the IP address 86.54.25.202, contains a 960-byte credential harvester embedded within its JavaScript bundle. This malicious addition intercepts the operator's login details each time they authenticate, sending the stolen credentials to a receiver at http://scan-tron.link. Meanwhile, the other panel at 86.54.25.204 is uninfected, running a slightly newer software version
threat intelligencemalware analysisc2 infrastructureapt campaignsiocsyara rulesreverse engineeringcybersecurity researchodyssey panelodysseygoodteclatviatls certificatejs bundlesubnetbetrayalfeature mapapi routesapriltelegramproblempythonnevadastealeramosturnodyssey stealerposeidonatomic macoswaterhydra
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Atomic macOS Odyssey WaterHydra
Indicators of Compromise (2 / 13 total)
All CIDR FileHash-SHA256 URL YARA domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 6c0c64c2da550ecab6eb9b855afe2833fde8f928a37168b7e4527665a9a7ae47 2026-04-26
FileHash-SHA256 95c17869073bff8a045083315c97583cb0d4f4c19165e657ed584ef7e16868a1 2026-04-26
References (1)
↗ https://intel.breakglass.tech/post/odyssey-macos-stealer-backdoored-panel-scan-tron-credential-harvester