{
	"id": "3df85ad3-0491-4ef7-bed3-8b7b29b2b2f7",
	"created_at": "2026-04-06T00:06:57.683719Z",
	"updated_at": "2026-04-10T13:12:39.658208Z",
	"deleted_at": null,
	"sha1_hash": "663a6d3bee8ab6c5439dd813a4fb4fead636e67f",
	"title": "CTI/20240627_macOS_PoseidonStealer at main · govcert-ch/CTI",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45116,
	"plain_text": "CTI/20240627_macOS_PoseidonStealer at main · govcert-ch/CTI\r\nBy govcert-ch\r\nArchived: 2026-04-05 15:26:25 UTC\r\nPoseidon Stealer malspam campaign targeting Swiss macOS users\r\nOn the evening of the 27th of June 2024, the NCSC has observed a large AGOV themed malspam campaign\r\ntargeting macOS users in Switzerland with Poseidon Stealer.\r\nAGOV is the public service login for Switzerland. It is not only for use in federal settings, but also when dealing\r\nwith cantonal and communal authorities, for example when completing your tax return.\r\nThe malspam has been sent from Amazon's legitimate outbound email service using the following email subject:\r\nAGOV-Zugriff: Ab Juli 2024 für alle öffentlichen Online-Dienste obligatorisch\r\nSending IP addresses (Amazon):\r\n23.251.226.1\r\n23.251.226.2\r\n23.251.226.3\r\n23.251.226.4\r\n23.251.226.5\r\nSender (Email from):\r\nAGOV \u003cnoreply@ing.automech.com.br\u003e\r\nThe malspam emails contain a link to bing.com from which victim gets redirects to another, mostly likely\r\ncompromised host, that finally redirects the victim' to a website hosting Poseidon Stealer.\r\nRogue redirect (probably compromised):\r\nhttps://shop.aishabaker.com/about/\r\nPoseidon Stealer payload URLs:\r\nhttps://register-agov.net /AGOV-Access.dmg\r\nhttps://register-agov.com/AGOV-Access.dmg\r\nhttps://agov-ch.com/AGOV-Access.dmg\r\nhttps://github.com/govcert-ch/CTI/tree/main/20240627_macOS_PoseidonStealer\r\nPage 1 of 2\n\nhttps://agov-ch.net/AGOV-Access.dmg\r\nhttps://agov-access.net/AGOV-Access.dmg\r\nhttps://agov-access.com/AGOV-Access.dmg\r\nOnce infected, Poseidon Stealer will steal various information from the victim's machine and exfiltrate it to a\r\nbotnet C2 located here:\r\nA copy of the Poseidon Stealer malware sample is available for download here:\r\nhttps://bazaar.abuse.ch/sample/474ee78c6636ee478ea7f4521559679fbc468bb326357737bfc465e63ed153fa/\r\nMISP event (JSON):\r\n20240627_macOS_PoseidonStealer.json\r\nSource: https://github.com/govcert-ch/CTI/tree/main/20240627_macOS_PoseidonStealer\r\nhttps://github.com/govcert-ch/CTI/tree/main/20240627_macOS_PoseidonStealer\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/govcert-ch/CTI/tree/main/20240627_macOS_PoseidonStealer"
	],
	"report_names": [
		"20240627_macOS_PoseidonStealer"
	],
	"threat_actors": [],
	"ts_created_at": 1775434017,
	"ts_updated_at": 1775826759,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/663a6d3bee8ab6c5439dd813a4fb4fead636e67f.pdf",
		"text": "https://archive.orkl.eu/663a6d3bee8ab6c5439dd813a4fb4fead636e67f.txt",
		"img": "https://archive.orkl.eu/663a6d3bee8ab6c5439dd813a4fb4fead636e67f.jpg"
	}
}