Odyssey Stealer Scanner
Python
// Overview
Static analysis tool that detects Odyssey Stealer and related macOS info-stealers inside DMG files. It decrypts MLCG XOR payloads and pulls out C2 addresses and IOCs without ever running the sample. Built for a file-sharing platform's abuse team, it has taken down whole active stealer campaigns.
// Built with
Pythonmalware analysismacOS
// The problem
Odyssey and related macOS info-stealers ship inside DMG files with obfuscated payloads. Triaging them used to mean detonating the sample to pull out indicators, which is slow and risky.
// Approach
- Statically parse the DMG and locate the stealer payload without executing anything.
- Reproduce the MLCG keystream to undo the XOR layer, then extract C2 addresses and IOCs.
- Built for a file-sharing abuse team to triage whole campaigns at scale.
// Engineering challenges
- Rebuilding the MLCG (multiplicative linear congruential generator) keystream to reverse the XOR obfuscation.
- Handling DMG structure variants as the campaign changed between iterations.
- Staying fully static so a sample never runs during analysis.