HH.security #22

Hey folks,

shortly after the Easter season, we’d like to meet again.
We’re going to have two interesting talks*:

"The AI Ad Apocalypse: Dissecting macOS Crypto Drainers - Georg Ph. E. Heise

In 2025, a wave of YouTube "AI-trading" scams became the primary vector for draining macOS crypto wallets. This session delivers an autopsy of the Odyssey Stealer campaign and unveils new 2026 research into its evolving, professionalized Malware-as-a-Service (MaaS) architecture.

• The Lure: How YouTube/GitHub chains leveraged AI branding to bypass scrutiny.

• Odyssey’s Lineage: A technical comparison to Poseidon and AMOS counterparts.

• The "Rodrigo4" Factor: OSINT on the forum feuds driving the malware's evolution.
2026 Technical Findings

• Stealth & Persistence: Bypassing macOS hardening via LaunchDaemons, Go-based SOCKS5 proxies, and "ClickFix" tactics.

• C2 Infrastructure: Forensic breakdown of live 2026 C2 fingerprints and rebranded admin panels.

• Cross-Platform Parity: Shared evasion techniques between macOS and Windows counterparts.
Hunting & Defense Playbook

• Hard IoCs: Hidden file paths, .plist identifiers, and exfiltration endpoints.

• Behavioral Detection: Monitoring osascript anomalies and unauthorized Keychain access.

• MaaS Economics: Analyzing the market drivers behind these viral malware rebrands.

Dismantle the mechanics of the modern macOS stealer and harden your endpoints against the next wave of AI-driven fraud.

"Psychology in Cybersecurity – André Harms

How psychological factors influence the behaviour of users, security professionals, and decision-makers. What can we learn from other disciplines and professions?"

*If you’d like to present something at future events that you think could be valuable for others, let us know.