Malware operators continue to escalate their tactics by abusing Extended Validation (EV) code signing certificates to evade macOS security checks.
A new campaign linked to the Odyssey Stealer malware family has been identified, leveraging Apple Developer ID certificates fraudulently issued to malicious actors, allowing them to distribute fully undetected (FUD) DMGs that bypass security scans.
New Fraudulent Developer ID Emerges
Researchers have uncovered a malicious DMG file (SHA256: a031ba8111ded0c11acfedea9ab83b4be8274584da71bcc88ff72e2d51957dd7) signed with a suspicious Developer ID certificate under the name “THOMAS BOULAY DUVAL” (Team ID: J97GLQ5KW9).
This identity appears fabricated, mirroring a trend previously observed when another malicious app was signed using the same name, “Alina Balaban (3GUHMVK4XV).”
Attackers deliberately embed parts of the certificate holder’s name into their app identifiers, creating a misleading sense of legitimacy. Examples include “balaban.sudoku” and “thomas.parfums”.
Once launched, the trojanized DMG retrieves a malicious AppleScript payload from remote infrastructure. The script, hosted on franceparfumes[.]org/parfume and linked to IP 185.93.89.62, initiates execution of Odyssey Stealer components.
The stealer is designed to exfiltrate sensitive data, including browser-stored credentials, session cookies, and cryptocurrency wallet information.
Abuse of EV Certificates on macOS
While the abuse of EV code signing has been seen predominantly in Windows malware campaigns, this discovery reinforces that Apple’s Developer ID ecosystem is also a target.
Gaining access to an EV certificate is typically expensive and requires strict validation, making them rare and valuable assets in the cybercriminal underground.
Once obtained, however, these certificates enable attackers to distribute malware that appears to be a legitimate macOS application, allowing it to bypass Gatekeeper checks and gain user trust.
The use of signed DMGs also hinders traditional antivirus and gateway detection, as many engines initially mark them as safe.
In this case, the sample was reported as fully undetected across VirusTotal scans at the time of discovery, highlighting the effectiveness of EV signing in evading standard defenses.
Apple’s code signing revocation process plays a key role in mitigating such abuse. Once a certificate is confirmed to be malicious, it can be swiftly revoked, preventing further execution on macOS.
However, the delay between discovery and revocation provides a valuable operational window for attackers to conduct infections.
With this campaign, operators behind Odyssey Stealer are clearly investing significant resources into strengthening their distribution mechanisms.
By purchasing high-cost EV certificates and combining them with social engineering techniques, such as branding apps with misleading identities, the threat actors aim to extend the lifespan of their payload delivery before takedowns.
Indicators of Compromise
- Malicious DMG: a031ba8111ded0c11acfedea9ab83b4be8274584da71bcc88ff72e2d51957dd7
- C2 Domain: franceparfumes[.]org/parfume
- C2 IP Address: 185.93.89.62
As researchers track these fraudulent certificates, revocations are expected to disrupt the ongoing campaign. However, the continued abuse of EV signing demonstrates cybercriminals’ determination to undermine trust-based security mechanisms across both Windows and macOS ecosystems.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
 code signing certificates.){kind=link}