Poseidon Stealer
Poseidon Stealer is a macOS-focused information stealer and malware-as-a-service family associated with actor Rodrigo4 and described as a fork, competitor, or descendant of Atomic macOS Stealer (AMOS). Multiple sources in the content state that Odyssey Stealer is a direct rebrand of Poseidon Stealer, and that Poseidon itself was later sold and rebranded, complicating tracking. Poseidon has been observed targeting macOS systems across numerous organizations and was reported as a prevalent macOS stealer, in some reporting overtaking Atomic Stealer.
Its core behavior is theft of sensitive data from macOS hosts using AppleScript-based collection and social engineering. The content states Poseidon uses encoded or obfuscated AppleScript delivered through Trojanized installers masquerading as legitimate applications, and has also been distributed via Google ads, malicious spam emails, malvertising, fake software download sites, and phony websites impersonating AI tools, VPN services, and other well-known software brands. Red Canary also noted increased use of macOS "paste and run" style execution in related activity.
Capabilities directly described in the content include gathering system information and stealing data from browsers, browser extensions, and other applications; browser passwords and cookies; cryptocurrency wallets; macOS Notes; Telegram data; and passwords from BitWarden and KeePassXC. Reporting also states Poseidon targets sensitive data from browsers, extensions, and other applications generally. The malware prompts victims with a fake dialog to obtain the user's macOS password, and stolen information is sent to attacker-controlled web servers managed through a control panel.
The content links Poseidon to a broader macOS stealer ecosystem that abuses AppleScript for rapid collection and credential theft, and notes frequent version changes and rebranding across Poseidon/Odyssey variants. High-confidence infrastructure details specific to Poseidon itself are limited in the provided content, but the malware is consistently characterized as a macOS infostealer focused on credential, browser, wallet, and application-data theft, with strong overlap in codebase and functionality with AMOS and later Odyssey.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Odyssey isn’t original work. It’s a direct rebrand of Poseidon Stealer, which itself was forked from Atomic macOS Stealer (AMOS).
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueMITRE ATT&CK Mapping The Backdoor (scan-tron.link targeting Odyssey operators) Tactic Technique ID Initial Access Supply Chain Compromise T1195.002
Execution
2 techniquesOften delivered via obfuscated AppleScript payloads ... Stage 1: The Initial Dropper The main payload is obfuscated AppleScript wrapped in a shell script.
"...aiming to trick software professionals... into installing them instead. Upon execution..."; "...ads urging users to install a new version..."
Stealth
1 technique“...malware disguised as popular AI and collaboration tools like OpenAI ChatGPT... Cisco AnyConnect, Google Drive, Microsoft Office...” and “...phony websites impersonating AI, VPN services, and other well-known software brands...”
Credential Access
1 techniqueThe password is validated against the system using dscl . authonly and then used for: Extracting Chrome’s master password from Keychain ... Keychain – Full Keychain database (login.keychain-db)
IOCs tracked for this family
5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
macOS stealer family referenced as the predecessor brand to Odyssey Stealer; described indirectly as part of a lineage stemming from AMOS.
A macOS stealer MaaS family that preceded Odyssey Stealer. The content describes Odyssey as a direct rebrand of Poseidon, sharing delivery, browser and wallet targeting, Keychain theft, LaunchDaemon persistence, and trojanized app replacement.
macOS information stealer using AppleScript to collect sensitive data from browsers, extensions, and other applications; tracked by the source starting in early June 2025 and subject to rebrand/variant confusion (potentially to Odyssey).
macOS information stealer delivered from brand-impersonation websites.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.