Poseidon

Poseidon is a cybercrime threat actor/group associated in the provided content with Poseidon Stealer activity and described in one source as a Portuguese-speaking cybercrime group. The content also states that Poseidon Stealer was forked from Atomic macOS Stealer (AMOS) and later directly rebranded as Odyssey Stealer. Reported lineage in the content ties Poseidon and Odyssey to a developer known as Rodrigo4 on the Russian-language XSS forum, with Poseidon launched in mid-2024, sold in August 2024, and subsequently rebranded to Odyssey by new operators in mid-2025. The malware associated with this ecosystem is macOS-focused and aimed primarily at cryptocurrency theft, operating as a Malware-as-a-Service platform with an affiliate model. Described capabilities include delivery via obfuscated AppleScript payloads; theft of browser, wallet, Keychain, Telegram Desktop, Apple Notes, Desktop, and Documents data; targeting of numerous browser wallet extensions and desktop wallet applications; fake macOS password prompts validated with dscl . authonly; replacement of legitimate Ledger and Trezor applications with trojanized versions; installation of persistent LaunchDaemons; RAT functionality including arbitrary shell execution, reinfection, SOCKS5 proxying, and periodic polling of C2 infrastructure. The content also notes that after compromising a victim, Poseidon Group lists all running processes. Known related names and aliases directly mentioned in the content are Poseidon, Poseidon Stealer, and Odyssey Stealer.