Poseidon Stealer (Malware Family)

Poseidon Stealer

aka: Rodrigo Stealer

macOS infostealer sold by an individual named Rodrigo4, currently consisting of a disk image containing a Mach-O without app bundle, which when executed spawns osascript executing an AppleScript with the actual infostealer payload. The AppleScript payload will steal files by packing them in a ZIP archive and uploading them to a hardcoded C2 via HTTP.

References

2024-07-11 ⋅ NCSC Switzerland ⋅ NCSC Switzerland
Brief technical analysis of the "Poseidon Stealer" malware
Poseidon Stealer

2024-06-27 ⋅ GovCERT.ch ⋅ GovCERT.ch
Poseidon Stealer malspam campaign targeting Swiss macOS users
Poseidon Stealer

2024-06-24 ⋅ Malwarebytes Labs ⋅ Jérôme Segura
‘Poseidon’ Mac stealer distributed via Google ads
Poseidon Stealer

There is no Yara-Signature yet.

Poseidon Stealer Propose Change

References

Poseidon Stealer