{
	"id": "6f7eb2dc-9e99-411a-b476-4d8a9382ed4f",
	"created_at": "2026-04-06T00:21:56.772485Z",
	"updated_at": "2026-04-10T13:12:32.790677Z",
	"deleted_at": null,
	"sha1_hash": "9b53b4949a768982c2496ed5ab16caddda97230b",
	"title": "Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 492247,
	"plain_text": "Poseidon Group: a Targeted Attack Boutique specializing in global\r\ncyber-espionage\r\nBy GReAT\r\nPublished: 2016-02-09 · Archived: 2026-04-02 12:35:52 UTC\r\nDuring the latter part of 2015, Kaspersky researchers from GReAT (Global Research and Analysis Team) got hold\r\nof the missing pieces of an intricate puzzle that points to the dawn of the first Portuguese-speaking targeted attack\r\ngroup, named “Poseidon.” The group’s campaigns appear to have been active since at least 2005, while the very\r\nfirst sample found points to 2001. This signals just how long ago the Poseidon threat actor was already working on\r\nits offensive framework.\r\nWhy has the Poseidon threat remained undetected for so many years? In reality, it has not. Most samples were\r\ndetected promptly. However, Poseidon’s practice of being a ‘custom-tailored malware implants boutique’ kept\r\nsecurity researchers from connecting different campaigns under the umbrella of a single threat actor. This\r\napproach entails crafting campaigns components on-demand and sometimes fabricating entirely unique malicious\r\nartifacts.\r\n1st Portuguese-speaking group #ThePoseidonAPT attacks companies globally #TheSAS2016\r\nTweet\r\nhttps://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/\r\nPage 1 of 8\n\nOur research team was able to put together the disparate pieces of this puzzle by diligently tracing the evolution of\r\nPoseidon’s toolkit in pursuit of an overarching understanding of how the actor thinks and the specific practices\r\ninvolved in infecting and extorting its victims. With a set of tools developed for the sole purpose of information\r\ngathering and privilege escalation, the sophistication level of campaign highlights that, today, regional actors are\r\nnot far behind better-known players in the global game of targeted attacks.\r\nBecoming familiar with the operations of the Poseidon Group meant patiently dismantling their modus operandi to\r\nunearth the custom-designed infection tools deployed to each of their selected targets. This process revealed a\r\nseries of campaigns with highly-regionalized malware practices and geographically-skewed victim tasking,\r\nunsurprising in a region with a gradually-maturing cybercrime industry. The proper detection of each iteration of\r\ntheir evolving toolkit may have been enough to thwart specific efforts, but to truly understand the magnitude of\r\nPoseidon’s combined operations required an archeological effort to match.\r\nFrequently asked questions\r\nWhat exactly is the Poseidon Group?\r\nThe Poseidon Group is a long-running team operating on all domains: land, air, and sea. They are dedicated to\r\nrunning targeted attacks campaigns to aggressively collect information from company networks through the use of\r\nspear-phishing packaged with embedded, executable elements inside office documents and extensive lateral\r\nmovement tools. The information exfiltrated is then leveraged by a company front to blackmail victim companies\r\ninto contracting the Poseidon Group as a security firm. Even when contracted, the Poseidon Group may continue\r\nits infection or initiate another infection at a later time, persisting on the network to continue data collection\r\nbeyond its contractual obligation. The Poseidon Group has been active, using custom code and evolving their\r\ntoolkit since at least 2005. Their tools are consistently designed to function on English and Portuguese systems\r\nhttps://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/\r\nPage 2 of 8\n\nspanning the gamut of Windows OS, and their exfiltration methods include the use of hijacked satellite\r\nconnections. Poseidon continues to be active at this time.\r\nWhy do you call it Poseidon’s Targeted Attack Boutique?\r\nThe presence of several text fragments found in the strings section of executable files belonging to the campaign\r\nreveal the actor’s fondness for Greek mythology, especially regarding Poseidon, the God of the Seas (which also\r\ncoincides with their later abuse of satellite communications meant to service ships at sea). The boutique element is\r\nreflected in their artisanally adaptive toolkit for lateral movement and data collection which appears to change\r\nfrom infection to infection to fit custom-tailored requirements for each of their prospective clients. The business\r\ncycle includes what is euphemistically referred to as ‘financial forecasting’ using stolen information, so we like to\r\nsay that Poseidon’s boutique not only deals in targeted attacks but also stolen treasures.\r\nHow did you become aware of this threat? Who reported it?\r\nWe noticed that several security companies and enthusiasts had unwittingly reported on fragments of Poseidon’s\r\ncampaigns over the years. However, nobody noticed that these fragments actually belonged to the same threat\r\nactor. Perhaps because many of these campaigns were designed to run on specific machines, using English and\r\nPortuguese languages, with diverse command and control servers located in different countries and soon\r\ndiscarded, signing malware with different certificates issued in the name of rogue companies, and so on. By\r\ncarefully collecting all the evidence and then reconstructing the attacker’s timeline, we found that it was actually a\r\nsingle group operating since at least 2005, and possible earlier, and still active on the market.\r\nWith this understanding, GReAT researchers were able to recognize similarities in obfuscation and development\r\ntraits leading back to widely-reported but little understood variants on a sample in 2015, which searched for\r\nprominent leaders and secret documents involving them.\r\nWhen did you discover this targeted attack?\r\nThe very first samples from this campaign were detected by Kaspersky Lab back in the early 2000s. However, as\r\nnoted previously, it is a very complex task to correlate indicators and evidence in order to put together all the\r\npieces of this intricate puzzle. By the middle of 2015 it was possible to identify that throughout this period of time\r\nit’s been the same threat actor, which we call Poseidon Group.\r\nWho are the victims? / What can you say about the targets of the attacks?\r\nThe targets are companies in energy and utilities, telecommunications, public relations, media, financial\r\ninstitutions, governmental institutions, services in general and manufacturing. The geographical spread of victims\r\nis heavily-skewed towards Brazil, the United States, France, Kazakhstan, United Arab Emirates, India and Russia.\r\nMany of the victims have joint ventures or partner operations in Brazil. The importance of the victims is not\r\nmeasured in numbers since each of these victims is a large-scale (often multinational) enterprise.\r\nWhat exactly is being stolen from the target machines?\r\nhttps://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/\r\nPage 3 of 8\n\nOne of the characteristics of the group behind Poseidon is an active exploration of domain-based networks. Such\r\nnetwork topology is typical for companies and enterprises.\r\nThe highest value asset for these companies is proprietary information, technologies, and business-sensitive\r\ninformation that represents significant value in relation to investments and stock valuations. The Poseidon Group\r\nactively targets this sort of corporate environment for the theft of intellectual property and commercial\r\ninformation, occasionally focusing on personal information on executives.\r\nHow does Poseidon’s APT Boutique infect computers?\r\nThe main infection vector for Poseidon is the use of spear-phishing emails including RTF/DOC files, usually with\r\na human resources lure. The executables are also often digitally signed and occasionally hidden in alternate data\r\nstreams to fool security solutions. Poseidon’s toolkit displays an awareness of many antivirus providers over the\r\nyears, attempting to attack or spoof these processes as a means of self-defense for their infections. Once the\r\ninfection happens, it reports to the command and control servers before beginning a complex lateral movement\r\nphase. This phase will often leverage a specialized tool that automatically collects a wide array of information\r\nincluding credentials, group management policies, and even system logs to better hone further attacks and assure\r\nexecution of their malware. This way the attackers actually know what applications and commands they can use\r\nwithout raising an alert to the network administrator during lateral movement and exfiltration.\r\nWhat does the Poseidon Group do? What happens after a target machine is infected?\r\nOnce the target’s machine is compromised, the attacker first enumerates all processes running in the system and\r\nall services. Then the attacker looks for all administrator accounts on both the local machine and the network. This\r\ntechnique allows them to map network resources and make lateral movements inside the network, landing in the\r\nperfect machine to match the attacker’s interest. This reflects the Poseidon Group’s familiarity with Windows\r\nnetwork administration. In many cases, their ultimate interest is the Domain Controller.\r\nAdditionally malware reports itself to its hardcoded command and control servers and established a backdoor\r\nconnection, so the attacker may have a permanent remote connection.\r\nWhat are the malicious tools used by the Poseidon Group? What are their functions?\r\nPoseidon utilizes a variety of tools. Their main infection tool has been steadily evolving since 2005, with code\r\nremnants remaining the same to this day, while others have been altered to fit the requirements of new operating\r\nsystems and specific campaigns. A noteworthy addition to the Poseidon toolkit is the IGT supertool (Information\r\nGathering toolkit), a bulking 15 megabyte executable that orchestrates a series of different information collections\r\nsteps, exfiltration, and the cleanup of components. This tool appears to be designed to operate on high-value\r\ncorporate systems like Domain Controllers or IIS servers that act as repositories of valuable information,\r\nparticularly for lateral movement. The Information Gathering Tool (IGT) tool is coded in Delphi and includes\r\npowershell and SQL components across a dozen different drops. This tool contains several other executable files\r\nmade in different programming languages ranging from Visual Basic 6 to C#, each one performing a very clear\r\ntask devised by the group when trying to obtain more information from an objective. The main purpose of the IGT\r\ntool is to make an inventory of the system, saving information from the network interfaces and addresses,\r\nhttps://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/\r\nPage 4 of 8\n\ncredentials belonging to the Domain and database server, services being run from the OS and everything that\r\ncould help the Poseidon Group make its attack more customized to its victim.\r\nAre the attackers using any zero-day vulnerabilities?\r\nNo zero-day vulnerabilities have been found in the analysis of the samples obtained regarding this campaign.\r\nPoseidon’s conventional means of deceiving users with executable files posing inside Word and RTF document\r\nfiles, and actual poisoned documents with malicious macro-scripts has been the sole method used for\r\ncompromising their desired targets. As we have seen in other targeted campaigns, social engineering and carefully\r\ncrafted spear-phishing attacks play a crucial role in the effectiveness of getting a foothold in the desired system.\r\nIs this a Windows-only threat? Which versions of Windows are targeted?\r\nPoseidon is particularly focused on the Microsoft Windows operating system family, specifically customizing the\r\ninfection method for each one so as to gather different information and hide its presence after the initial infection.\r\nOther products usually found in corporate environments, such as an SQL server, are being used for lateral\r\nmovement and credential harvesting using a customized toolset designed by the crafty Poseidon Group. Because\r\nof Poseidon’s longevity, there are samples targeting Windows systems as early as Windows NT 4.0 Server and\r\nWindows 95 Workstation up to current versions like Windows 8.1, as well as server variants (very important to\r\nthem, given the emphasis on reaching Domain Controllers in corporate environments.)\r\nHow is this different from any other targeted attack?\r\nThe extortion elements of this campaign are what set it apart from others. The exfiltration of sensitive data is done\r\nin order to coerce the victim into a business relationship under the threat of exchanging this information with\r\ncompetitors or leveraging it as part of the company’s offering of ‘investment forecasting’. Additionally this is the\r\nfirst ever publicly known Portuguese-speaking targeted attacks campaign.\r\nAre there multiple variants of the Poseidon Group’s malware? Are there any major differences in\r\nthe variants?\r\nPoseidon has maintained a consistently evolving toolkit since the mid-2000s. The malware has not avoided\r\ndetection but instead been so inconspicuous as to not arouse much suspicion due to the fact that this malware only\r\nrepresents the initial phase of the attack. An altogether different component is leveraged once Poseidon reaches an\r\nimportant machine like an enterprise’s Domain Controller. This is where the main collection takes place by use of\r\nthe IGT (Information Gathering Tool) toolkit.\r\nIs the command and control server used by the Poseidon Group still active? Have you been able\r\nto sinkhole any of the command and controls?\r\nPoseidon Group has interesting practices when it comes to its use of command and control servers, including\r\nredundancies and quickly discarding command and control (C\u0026Cs) servers after specific campaigns. This has\r\nactually allowed us to sinkhole several domains. A few of these still had active infections attempting to report to\r\nthe C\u0026Cs. This adds an interesting dimension to the story. As part of Kaspersky Lab’s commitment to securing\r\ncyberspace for everyone, we reached out and notified identifiable victims, regardless of their security solution and\r\nhttps://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/\r\nPage 5 of 8\n\nprovided them with indicators of compromise (IOCs) to help root out the active infection. In the process, we were\r\nable to confirm the previously described operating procedures for the Poseidon Group.\r\nWe do not believe this to be a state-sponsored attack but rather a commercial threat player. Collaboration with\r\ninformation-sharing partners and victim institutions allowed us to become aware of the more complicated business\r\ncycle involved in this story, greatly adding to our research interest in tracking these campaigns. The malware is\r\ndesigned to function specifically on English and Portuguese-language systems. This is the first ever Portuguese-speaking targeted attack campaign.\r\nHow long have the attackers been active?\r\nThe attackers have been active for more than ten years. The main distribution of samples goes back to 2005 with\r\npossible earlier outliers.\r\nOperating systems such as Windows 95 for desktop computers and Windows NT for server editions were not\r\nuncommon at the time and Poseidon’s team has evolved gradually into targeting the latest flagship editions of\r\nMicrosoft’s operating systems. Recent samples show interest in Windows 2012 Server and Windows 8.1.\r\nDid the attackers use any interesting/advanced technologies?\r\nDuring a particular campaign, conventional Poseidon samples were directed to IPs resolving to satellite uplinks.\r\nThe networks abused were designed for internet communications with ships at sea which span a greater\r\ngeographical area at nearly global scale, while providing nearly no security for their downlinks.\r\nThe malware authors also possess an interesting understanding of execution policies which they leverage to\r\nmanipulate their victim systems. They combine reconnaissance of GPO (Group Policy Object management for\r\nexecution) with digitally-signed malware to avoid detection or blocking during their infection phases. These\r\ndigital certificates are often issued in the name of rogue and legitimate companies to avoid arousing suspicion\r\nfrom researchers and incident responders.\r\nhttps://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/\r\nPage 6 of 8\n\nDoes Kaspersky Lab detect all variants of this malware?\r\nYes, all samples are detected by signatures and also heuristics. With a fully updated Kaspersky Lab anti-malware\r\nsolution, all customers are protected now. Kaspersky Lab products detect the malware used by Poseidon Group\r\nwith the following detection names:\r\nBackdoor.Win32.Nhopro\r\nHEUR:Backdoor.Win32.Nhopro.gen\r\nHEUR:Hacktool.Win32.Nhopro.gen\r\nHow many victims have you found?\r\nAt least 35 victim companies have been identified with primary targets including financial and government\r\ninstitutions, telecommunications, manufacturing, energy and other service utility companies, as well as media and\r\npublic relations firms.\r\nThe archaeological effort of understanding such a long-standing group can severely complicate victim\r\nidentification. We see traces of upwards of a few tens of companies targeted. The exact number of the victims may\r\nactually vary. Since it is a very long term group, some victims may be impossible to identify now.\r\nAt this time, we are reaching out to victims of active infections to offer remediation assistance, IOCs, and our full\r\nintelligence report to help them counteract this threat. Any victims or potential targets concerned about this threat\r\nshould please contact us at intelreports@kaspersky.com.\r\nWho is behind these attacks?\r\nWe do not speculate on attribution. Language code used to compile implants, as well as the language used to\r\ndescribe certain commands used by the group, actually corresponds to Portuguese from Brazil. The inclusion of\r\nPortuguese language strings and preference for Portuguese systems is prominent throughout the samples.\r\nThe tasking of Poseidon’s campaigns appears to be heavily focused on espionage for commercial interests.\r\nSpeculating further would be unsubstantiated.\r\nReference samples hashes:\r\n2ce818518ca5fd03cbacb26173aa60ce\r\nf3499a9d9ce3de5dc10de3d7831d0938\r\n0a870c900e6db25a0e0a65b8545656d4\r\n2fd8bb121a048e7c9e29040f9a9a6eee\r\n4cc1b23daaaac6bf94f99f309854ea10\r\n2c4aeacd3f7b587c599c2c4b5c1475da\r\nf821eb4be9840feaf77983eb7d55e5f6\r\n2ce818518ca5fd03cbacb26173aa60ce\r\nCommand and control servers:\r\nhttps://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/\r\nPage 7 of 8\n\nakamaihub[.]com – SINKHOLED by Kaspersky Lab\r\nigdata[.]net – SINKHOLED by Kaspersky Lab\r\nmozillacdn[.]com – SINKHOLED by Kaspersky Lab\r\nmsupdatecdn[.]com – SINKHOLED by Kaspersky Lab\r\nsslverification[.]net – SINKHOLED by Kaspersky Lab\r\nFor more about counter Poseidon and similar attacks, read this article in the Kaspersky Business Blog.\r\nSource: https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/\r\nhttps://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"MITRE",
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/"
	],
	"report_names": [
		"73673"
	],
	"threat_actors": [
		{
			"id": "144584b0-60b7-437d-9f90-4d46291b0572",
			"created_at": "2022-10-25T15:50:23.513946Z",
			"updated_at": "2026-04-10T02:00:05.391788Z",
			"deleted_at": null,
			"main_name": "Poseidon Group",
			"aliases": [
				"Poseidon Group"
			],
			"source_name": "MITRE:Poseidon Group",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "4100052f-ccdc-4ee8-b950-434af1c9cef1",
			"created_at": "2022-10-25T16:07:24.07095Z",
			"updated_at": "2026-04-10T02:00:04.858608Z",
			"deleted_at": null,
			"main_name": "Poseidon Group",
			"aliases": [
				"G0033"
			],
			"source_name": "ETDA:Poseidon Group",
			"tools": [
				"IGT supertool",
				"Information Gathering Tool"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "1c95dd3a-26ea-4ec3-b8a1-831baafe7e8b",
			"created_at": "2023-01-06T13:46:38.466445Z",
			"updated_at": "2026-04-10T02:00:02.986899Z",
			"deleted_at": null,
			"main_name": "Poseidon Group",
			"aliases": [
				"G0033"
			],
			"source_name": "MISPGALAXY:Poseidon Group",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434916,
	"ts_updated_at": 1775826752,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9b53b4949a768982c2496ed5ab16caddda97230b.pdf",
		"text": "https://archive.orkl.eu/9b53b4949a768982c2496ed5ab16caddda97230b.txt",
		"img": "https://archive.orkl.eu/9b53b4949a768982c2496ed5ab16caddda97230b.jpg"
	}
}