Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareRansomwareUsed by 1 actor

Poseidon Stealer

Poseidon Stealer is a macOS-focused information stealer active in 2024 and early 2025. It targets macOS systems and uses AppleScript-based tradecraft to obtain sensitive data from browsers, browser extensions, and other applications. Reporting cited in the content describes it as part of the same macOS stealer family as Atomic Stealer (AMOS), with substantial code and feature overlap, and notes that defenders may have difficulty distinguishing the variants from endpoint telemetry alone because of highly similar AppleScript logic, command sequences, and data retrieval methods.

The malware has been delivered through phony websites impersonating AI tools, VPN services, and other well-known software brands, and later activity was associated with increased use of paste-and-run / ClickFix-style social engineering on macOS. Earlier deployment methods also relied on a widely abused Gatekeeper bypass that Apple patched in October 2024, after which traditional delivery was hindered and activity temporarily declined.

High-confidence reporting in the content states that Poseidon Stealer was prominent during 2024 and early 2025, then sold and rebranded as Odyssey Stealer. Multiple sources in the content characterize Odyssey as a direct rebrand or evolution of Poseidon, and further state that Poseidon itself was forked from Atomic macOS Stealer (AMOS). The operator behind Poseidon is identified in the content as Rodrigo4, with reporting that the platform was sold in fall 2024 / August 2024 and later reappeared under the Odyssey name.

Associated activity and prevalence reporting in the content includes Red Canary tracking Poseidon beginning in early June 2025, where it debuted on a June 2025 top-10 threat list tied for eighth place, and statements that some activity initially tracked as Poseidon may later be reclassified as Odyssey because of the sale and rebrand. Additional reporting cited in the content states Poseidon overtook Atomic Stealer in prevalence on macOS during 2024 and accounted for a large share of macOS stealer detections.

The content does not provide a stable, Poseidon-specific IOC set beyond behavioral and campaign context, but repeatedly associates it with AppleScript execution, theft of data from browsers/extensions/applications, and delivery via fake software-brand websites and paste-and-run social engineering. The content also explicitly distinguishes Poseidon Stealer from Mythic’s unrelated Poseidon macOS agent.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Rodrigo4

Poseidon Stealer, prominent during 2024 and early 2025, was sold and rebranded as Odyssey Stealer, an evolution that saw it share significant code and features with another prevalent stealer, Atomic Stealer (aka AMOS).

via red canary blogredcanary.com
MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1195.002Compromise Software Supply ChainEvidence2

MITRE ATT&CK Mapping The Backdoor (scan-tron.link targeting Odyssey operators) Tactic Technique ID Initial Access Supply Chain Compromise T1195.002

Execution

2 techniques
T1059.002AppleScriptEvidence4

One of the primary reasons macOS stealers like Atomic, Poseidon, and Odyssey bear such striking resemblances is their shared reliance on AppleScript.

T1204User ExecutionEvidence1

"...aiming to trick software professionals... into installing them instead. Upon execution..."; "...ads urging users to install a new version..."

Stealth

1 technique
T1036MasqueradingEvidence1

“...malware disguised as popular AI and collaboration tools like OpenAI ChatGPT... Cisco AnyConnect, Google Drive, Microsoft Office...” and “...phony websites impersonating AI, VPN services, and other well-known software brands...”

Defense Impairment

1 technique
T1553.001Gatekeeper BypassEvidence1

Prior to this, a vulnerability existed in macOS that allowed the bypass of Apple’s Gatekeeper, something adversaries frequently leveraged for their initial deployment of Atomic and Poseidon onto systems.

Credential Access

1 technique
T1555Credentials from Password StoresEvidence2

The password is validated against the system using dscl . authonly and then used for: Extracting Chrome’s master password from Keychain ... Keychain – Full Keychain database (login.keychain-db)

INDICATORS OF COMPROMISE

IOCs tracked for this family

5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
4 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app2 months ago
hash.sha256●●●●●●●●●●●●View more in app2 months ago
ip.v4●●●●●●●●●●●●View more in app2 months ago
ip.v4●●●●●●●●●●●●View more in app2 months ago
ip.v4●●●●●●●●●●●●View more in app2 months ago
ACTIVITY FEED

Recent activity

12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

12 SOURCESView more in app
the hacker newsNews
Feb 15, 2026
Microsoft Discloses DNS-Based ClickFix Attack Using Nslookup for Malware Staging

macOS stealer family referenced as the predecessor brand to Odyssey Stealer; described indirectly as part of a lineage stemming from AMOS.

Read more
censys blogNews
Feb 11, 2026
Odyssey Stealer: Inside a macOS Crypto-Stealing Operation - Censys

A macOS stealer MaaS family that preceded Odyssey Stealer. The content describes Odyssey as a direct rebrand of Poseidon, sharing delivery, browser and wallet targeting, Keychain theft, LaunchDaemon persistence, and trojanized app replacement.

Read more
red canary blogNews
Oct 9, 2025
Distinguishing Atomic, Odyssey, and Poseidon stealers on macOS

A macOS stealer focused on obtaining sensitive data from browsers, extensions, and other applications. It relies heavily on AppleScript, previously used Gatekeeper bypass techniques for deployment, and later evolved into Odyssey Stealer.

Read more
red canary blogNews
Aug 21, 2025
Intelligence Insights: NetSupport Manager and paste-and-run precursors

Information stealer identified as another member of the same malware family as Atomic Stealer.

Read more
+8 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching5

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.