Device Management
Endpoint Detection & Response
Vulnerability Management
Kai
Liftoff
Prism
Migration Agent
Auto Apps
Passport
Compliance
Assignment Maps
Managed OS
Integrations
Mac
iPhone and iPad
Apple TV
Vision Pro
Financial Services
Technology
Artificial Intelligence
Marketing Agencies
Healthcare & Biotech
Startup
Growth
Enterprise
Resources Hub
Kandji Blog
Customer Stories
Mac Admins Community
Security Details
MDM Comparison Guide
Customer Support
Product Updates
Kandji Status
Customer Login
Register a Deal
Become a Partner
Partner Portal
About Kandji
News & Press
Careers
Contact
Why Kandji?
Threat Research Knowledge Base Threats Poseidon
Poseidon
Description
Poseidon (RodrigoStealer) is an information stealer targeting macOS users, masquerading as legitimate applications such as the Arc browser. It is designed to exfiltrate sensitive data, including system information, browser credentials, cryptocurrency wallets, and documents. It has been associated with Russian-speaking cybercriminal communities and is actively distributed through phishing campaigns and compromised websites.
Variant Names
N/A
Alternative Names
- RodrigoStealer
- RodStealer
- Rodrigo4Stealer
Country of origin
- Russia
Symptoms
You might observe the following artifacts associated with this threat:
- Unexpected prompts requesting system passwords during application installations.
- Presence of unfamiliar applications or processes running in the background.
- Unauthorized access to sensitive information, such as browser data or cryptocurrency wallets.
Technical Breakdown
Poseidon is distributed through malicious Google ads that redirect users to fake websites offering popular applications like the Arc browser. The downloaded disk image (DMG) files resemble legitimate installers but prompt users to bypass security protections by right-clicking to open the file. Once executed, Poseidon can perform various malicious activities, including:
- Collecting system information.
- Stealing browser data and cookies.
- Exfiltrating cryptocurrency wallets.
- Accessing password managers such as Bitwarden and KeePassXC.
- Looting VPN configurations from Fortinet and OpenVPN.
The stolen data is then exfiltrated to a remote server controlled by the attackers.
Next Steps
Kandji Endpoint Detection & Response (EDR) automatically removes detected threats when file monitoring is set to Protect.
While the malicious file is removed, it can leave behind artifacts that need to be cleaned manually.
In the future, avoid downloading and installing software from torrent sources or untrusted websites. Ensure that all applications are obtained from official and reputable sources to maintain system integrity and security.
Related
Atomic Stealer (AMOS) is a sophisticated piece of malware that targets Apple users by masquerading as legitimate applications. Once installed, AMOS can exfiltrate extensive data, including keychain passwords, user documents, system information, browser data, credit card information, and cryptocurrency wallets. There is a strong association between Atomic Stealer and Russian-speaking cybercriminal communities.
Cuckoo is an info stealer that typically masquerades as macOS applications such as Homebrew and Google Chrome. Discovered by Kandji in 2024, it has been known to steal passwords, as well as recording audio and video from an infected system.
PasivRobber is a sophisticated macOS surveillance suite discovered in March 2025. It targets applications popular among Chinese users, such as WeChat and QQ, and can exfiltrate sensitive data from various sources, including web browsers, email clients, and system files. The malware employs deceptive naming schemes and a modular architecture, indicating a deep understanding of macOS internals.
Manage and secure your Apple devices at scale.
