{
	"id": "95aea1e0-e516-4bd7-ab89-9788e851ef83",
	"created_at": "2026-04-06T00:19:24.805213Z",
	"updated_at": "2026-04-10T13:12:24.792547Z",
	"deleted_at": null,
	"sha1_hash": "8f996da16a40df81a822a724a71eed51f7ef56d4",
	"title": "Poseidon Group - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61972,
	"plain_text": "Poseidon Group - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 18:36:21 UTC\r\nHome \u003e List all groups \u003e Poseidon Group\r\n APT group: Poseidon Group\r\nNames\r\nPoseidon Group (Kaspersky)\r\nG0033 (MITRE)\r\nCountry Brazil\r\nMotivation Information theft and espionage\r\nFirst seen 2005\r\nDescription\r\n(Kaspersky) During the latter part of 2015, Kaspersky researchers from GreAT (Global\r\nResearch and Analysis Team) got hold of the missing pieces of an intricate puzzle that\r\npoints to the dawn of the first Portuguese-speaking targeted attack group, named\r\n“Poseidon.” The group’s campaigns appear to have been active since at least 2005,\r\nwhile the very first sample found points to 2001. This signals just how long ago the\r\nPoseidon threat actor was already working on its offensive framework.\r\nThe Poseidon Group is a long-running team operating on all domains: land, air, and sea.\r\nThey are dedicated to running targeted attacks campaigns to aggressively collect\r\ninformation from company networks through the use of spear-phishing packaged with\r\nembedded, executable elements inside office documents and extensive lateral\r\nmovement tools. The information exfiltrated is then leveraged by a company front to\r\nblackmail victim companies into contracting the Poseidon Group as a security firm.\r\nEven when contracted, the Poseidon Group may continue its infection or initiate\r\nanother infection at a later time, persisting on the network to continue data collection\r\nbeyond its contractual obligation. The Poseidon Group has been active, using custom\r\ncode and evolving their toolkit since at least 2005. Their tools are consistently designed\r\nto function on English and Portuguese systems spanning the gamut of Windows OS,\r\nand their exfiltration methods include the use of hijacked satellite connections.\r\nPoseidon continues to be active at this time.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d8a39ee0-3ec7-41dc-9d6e-dcbab0779ca3\r\nPage 1 of 2\n\nObserved\nSectors: Energy, Financial, Government, Media, Manufacturing, Telecommunications,\nUtilities.\nCountries: Brazil, France, India, Kazakhstan, Russia, UAE, USA.\nTools used IGT supertool.\nCounter operations Feb 2016\nThe C2 servers have been sinkholed by Kaspersky.\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=d8a39ee0-3ec7-41dc-9d6e-dcbab0779ca3\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d8a39ee0-3ec7-41dc-9d6e-dcbab0779ca3\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=d8a39ee0-3ec7-41dc-9d6e-dcbab0779ca3"
	],
	"report_names": [
		"showcard.cgi?u=d8a39ee0-3ec7-41dc-9d6e-dcbab0779ca3"
	],
	"threat_actors": [
		{
			"id": "144584b0-60b7-437d-9f90-4d46291b0572",
			"created_at": "2022-10-25T15:50:23.513946Z",
			"updated_at": "2026-04-10T02:00:05.391788Z",
			"deleted_at": null,
			"main_name": "Poseidon Group",
			"aliases": [
				"Poseidon Group"
			],
			"source_name": "MITRE:Poseidon Group",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "4100052f-ccdc-4ee8-b950-434af1c9cef1",
			"created_at": "2022-10-25T16:07:24.07095Z",
			"updated_at": "2026-04-10T02:00:04.858608Z",
			"deleted_at": null,
			"main_name": "Poseidon Group",
			"aliases": [
				"G0033"
			],
			"source_name": "ETDA:Poseidon Group",
			"tools": [
				"IGT supertool",
				"Information Gathering Tool"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "1c95dd3a-26ea-4ec3-b8a1-831baafe7e8b",
			"created_at": "2023-01-06T13:46:38.466445Z",
			"updated_at": "2026-04-10T02:00:02.986899Z",
			"deleted_at": null,
			"main_name": "Poseidon Group",
			"aliases": [
				"G0033"
			],
			"source_name": "MISPGALAXY:Poseidon Group",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434764,
	"ts_updated_at": 1775826744,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8f996da16a40df81a822a724a71eed51f7ef56d4.pdf",
		"text": "https://archive.orkl.eu/8f996da16a40df81a822a724a71eed51f7ef56d4.txt",
		"img": "https://archive.orkl.eu/8f996da16a40df81a822a724a71eed51f7ef56d4.jpg"
	}
}