Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Posiedon Stealer (Infostealer ) – Malware

December 13, 2024
Reading Time: 4 mins read
in Malware
Posiedon Stealer (Infostealer ) – Malware

Posiedon Stealer

Type of Malware

Infostealer

Addittional Names

Rodrigo Stealer 

Date of Initial Activity

2024 

Country of Origin

Germany

Targeted Countries

Switzerland

Associated Groups

Rodrigo4

Motivation

Data Theft

Attack Vectors

Phishing

Type of Information Stolen

Personally Identifiable Information (PII)
System Information
Communication Data
Login Credentials

Targeted Systems

macOS

Overview

In late June 2024, a new strain of malware known as Poseidon Stealer emerged, targeting macOS systems in German-speaking Switzerland through a highly deceptive phishing campaign. This sophisticated piece of malware was disseminated via emails that appeared to be from AGOV, the official Swiss government login portal. By masquerading as legitimate communications from a trusted source, the cybercriminals behind Poseidon Stealer exploited the trust users place in government entities to facilitate the malware’s installation and execution. Poseidon Stealer is designed with a specific objective: to compromise and exfiltrate sensitive data from infected macOS devices. The malware’s operation begins once the user unknowingly installs the malicious software, which is disguised as a legitimate application in the phishing emails. Once installed, Poseidon Stealer actively searches the victim’s computer for valuable information such as login credentials, private keys, cookies, and cryptocurrency wallet details. This sensitive data is then compressed into a ZIP file and sent to a central command and control (C2) server operated by the attackers, ensuring that the stolen information is securely exfiltrated.

Targets

Public Adminsitration Individuals Information

How they operate

Initial Infection and Delivery
The initial vector for Poseidon Stealer involves a well-crafted phishing email purporting to be from AGOV, the Swiss government login platform. The email lures victims into downloading a seemingly legitimate macOS application. This application, however, is a disguised version of Poseidon Stealer. Upon execution, the malware installs itself on the victim’s device, often without triggering any immediate alarms. The initial infection leverages social engineering to bypass typical user scrutiny, taking advantage of the perceived trustworthiness of the AGOV branding.
Data Extraction Process
Once installed, Poseidon Stealer begins its data exfiltration process by probing the system for a wide range of sensitive information. The malware targets various data types, including login credentials, private keys, cookies, and cryptocurrency wallets. It employs sophisticated scanning techniques to identify and collect this information from browser caches, keychains, and local storage. The data collection process is meticulous, ensuring that no critical information is overlooked. After gathering the required data, Poseidon Stealer compresses the stolen information into a ZIP archive. This step not only consolidates the data into a manageable format but also helps evade detection by minimizing the footprint of the exfiltrated information. The ZIP file is then transmitted to a central command and control (C2) server controlled by the attackers. This transmission is often encrypted to prevent interception and analysis by security systems.
Persistence and Evasion Techniques
One of the notable features of Poseidon Stealer is its persistence mechanism. After successfully exfiltrating the data, the malware remains installed on the victim’s device but suspends its execution upon reboot. This approach helps Poseidon Stealer avoid detection by traditional antivirus solutions and system monitoring tools that might identify active malware processes. Despite its inactivity post-reboot, the malware remains on the system, allowing attackers to reactivate it or leverage it for future attacks if necessary. Poseidon Stealer’s technical design illustrates a deliberate effort to balance effective data theft with stealth and persistence. Its operation involves a careful blend of social engineering, sophisticated data extraction techniques, and persistent stealth measures. The malware’s ability to remain undetected while continuously harvesting valuable information underscores the evolving sophistication of cyber threats and highlights the need for advanced security measures and user awareness in combating such threats.

MITRE Tactics and Techniques

Initial Access (T1071.001 – Application Layer Protocol)
The malware is delivered through phishing emails that mimic trusted sources, such as AGOV. This tactic uses social engineering to trick users into downloading and executing the malicious payload.
Execution (T1203 – Exploitation for Client Execution)
Upon receiving the malicious email, the victim is prompted to download and run a macOS application. The application, disguised as legitimate software, executes the Poseidon Stealer malware on the victim’s system.
Collection (T1119 – Automated Collection)
Once installed, Poseidon Stealer scans the system for sensitive data including login credentials, private keys, cookies, and crypto wallets. The malware systematically collects this data for exfiltration.
Exfiltration (T1041 – Exfiltration Over Command and Control Channel)
The collected data is compressed into a ZIP file and sent to a central command and control (C2) server. The exfiltration is performed over a secure channel to avoid detection.
Persistence (T1547.001 – Registry Run Keys / Startup Folder)
Poseidon Stealer maintains persistence on the infected device by remaining installed even after the device is rebooted. Although it does not actively execute after a reboot, it remains on the system, potentially allowing future activations.
Defense Evasion (T1070.004 – File Deletion)
After exfiltrating data, Poseidon Stealer ceases its active operation and hides its presence, making it harder for traditional detection mechanisms to identify and remove the malware. References
  • Brief technical analysis of the “Poseidon Stealer” malware
Tags: AGOVCryptocurrencyGermanyGovernmentinfostealerMacOSMalwarePhishingPoseidon StealerSwitzerland
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

X Scam Targets Crypto Users with Fake Ads

FBI Warns Cybercriminals Exploit Routers

FreeDrain Phishing Steals Crypto Funds

CoGUI Targets Consumer and Finance Brands

COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

Subscribe to our newsletter

    Latest Incidents

    LockBit Ransomware Data Leaked After Hack

    Spanish Consumer Group Faces Cyberattack

    Education Giant Pearson Hit by Data Breach

    Masimo Cyberattack Disrupts Manufacturing

    Cyberattack Targets Tepotzotlán Facebook

    West Lothian Schools Hit by Ransomware

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial