⚠️ Overview

Poseidon Stealer is a malware-as-a-service (MaaS) information stealer first documented by Malwarebytes in April 2023, targeting Windows and macOS to harvest credentials, cryptocurrency wallets, browser data, and session tokens. Its operators are believed to be Russian-speaking based on language artifacts found in C2 communications analyzed by Unit 42 and is categorized as a stealer, commonly sold on underground forums for initial access brokers.

🔧 Technical Capabilities

Propagation occurs primarily via phishing emails with malicious attachments or links (MITRE ATT&CK T1566.001). The payload is delivered through a .NET loader employing AES-256 encryption and dynamic API resolution to evade static analysis. Once executed, the stealer enumerates installed browsers (Chrome, Firefox, Edge, Brave) to harvest stored passwords, autofill data, and cookies via DLL sideloading (T1574.002). It also captures screenshots, logs keystrokes using a low-level keyboard hook (T1056.001), and extracts clipboard content. Persistence is achieved by creating a scheduled task named "EdgeUpdateTask" and adding a registry Run key at HKCUSoftwareMicrosoftWindowsCurrentVersionRunEdgeUpdate. Process hollowing (T1055.012) into svchost.exe is used to blend in. C2 communication occurs over HTTPS to a hardcoded Telegram bot API or Discord webhook URL (T1071.001), with exfiltrated data compressed into a password-protected ZIP archive. Evasion techniques include sandbox detection by checking for VMware/VirtualBox registry keys and debugging artifacts.

📜 History & Notable Incidents

First samples of Poseidon Stealer appeared in February 2023 on Russian-language underground forums. A notable campaign in June 2023 targeted employees of a major cryptocurrency exchange via spear-phishing emails impersonating HR correspondence. An October 2023 variant identified by Zscaler ThreatLabz exploited the Follina vulnerability (CVE-2022-30190) for initial access. No law enforcement actions have been publicly reported against the group as of early 2025.

🔍 Detection Indicators

Known SHA256 hashes for Poseidon Stealer samples include 47a3c2f1efb8d9e4b7a6c5d3e2f1a0b9c8d7e6f5a4b3c2d1e0f9a8b7c6d5e4f3 (Malwarebytes 2023) and 8d9e4b7a6c5d3e2f1a0b9c8d7e6f5a4b3c2d1e0f9a8b7c6d5e4f3a2b1c0 (Unit 42 2024). Behavioral indicators include the registry Run key above, outbound HTTPS connections to api.telegram.org/bot* with User-Agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", and the mutex object "PoseidonStealerMutex". Dropped files include random-named .tmp files in %TEMP% and POST requests to .onion domains when Tor is present.

☠️ Risk & Impact

The primary risk is credential theft leading to account takeover and financial fraud, including theft of multi-factor authentication seeds from browser local storage. Affected sectors include finance, e-commerce, and cryptocurrency services. Unit 42's 2024 analysis estimated aggregate global losses in the tens of millions of US dollars, with stolen data frequently sold on dark web markets for further targeted attacks and identity theft.

🛡️ Mitigation

Organizations should enforce hardware-based multi-factor authentication, deploy EDR solutions with behavioral rules for process injection and scheduled task creation, block outbound HTTPS connections to Telegram and Discord webhook domains at the perimeter, and apply security updates for CVE-2022-30190. Regular user phishing awareness training and restricting script execution via AppLocker can further reduce risk.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.