>samit_hota
Back to adversary profiles
G0033HighActive

Poseidon Group: The Extortion-as-a-Service Cyber Mercenaries

Samit Hota·
Suspected Origin
Brazil
Motivation
Financial Gain, Extortion
Aliases
None documented
Target Sectors
Financial, Government, Telecommunications, Manufacturing, Energy, Media, Public Relations, Service Utilities
Associated Malware
Information Gathering Tool (IGT), Custom Remote Access Trojans, Mimikatz
#threat-actor#g0033

Overview

The Poseidon Group (MITRE ATT&CK ID G0033) is a unique and persistent Portuguese-speaking threat actor, understood to be the first publicly documented Brazilian cyber-espionage group. Active since at least 2005, with forensic evidence suggesting development as early as 2001, this group stands apart in the threat landscape due to its distinctive and audacious business model. Rather than simply selling exfiltrated data on criminal markets or acting on behalf of a nation-state, Poseidon Group operates as a “cyber mercenary” enterprise. Its primary motivation is financial gain, achieved by systematically compromising organizations, stealing sensitive corporate data, and then leveraging that intelligence to coerce victims into contracting the Poseidon Group as a “security consultant”. This “extortion-as-consulting” model effectively turns the victim’s breach into a forced sales opportunity for the attackers.

Attribution to Brazil is made with high confidence due to several converging indicators. Their malware samples often contain Portuguese-language strings, and implants are designed to function on Windows systems configured for both English and Brazilian Portuguese. Furthermore, infrastructure patterns observed during their campaigns frequently point back to Brazil. While sophisticated, the group is not assessed to have nation-state sponsorship, operating instead as a commercially motivated criminal entity.

Poseidon Group’s typical targets span a broad range of sectors globally. They have targeted financial and government institutions, telecommunications providers, manufacturing companies, energy and other service utility companies, as well as media and public relations firms. While originating in Brazil, their victimology is international, with identified targets in the United States, France, Kazakhstan, the United Arab Emirates, India, Russia, and their home country of Brazil.

Tactics & Techniques

The Poseidon Group employs a methodical approach to infiltrate and exploit target networks. Their initial access typically begins with spear-phishing emails, often featuring human resources-themed lures and containing malicious RTF or Microsoft Word documents as attachments. The executables embedded within these documents are frequently digitally signed with rogue company certificates to appear legitimate and avoid detection. They may also hide malware within alternate data streams as a defense evasion tactic.

Once a system is compromised, the group prioritizes comprehensive reconnaissance. They leverage custom tools to map the network topology and gather extensive information. This includes performing account discovery across local, domain, and email accounts, enumerating running processes and system services, and mapping network connections. A key aspect of their discovery phase involves searching for administrator accounts on both local machines and across the network to facilitate further lateral movement. PowerShell components are often incorporated into their tooling for enhanced scripting flexibility and to blend with legitimate administrative activities.

For credential access, Poseidon Group is known to extract credentials directly from memory and perform OS credential dumping, with a particular focus on obtaining credentials for domain and database servers. They have been observed utilizing tools like Mimikatz and its derivatives for this purpose.

Defense evasion is a consistent priority for the group. Beyond the use of rogue certificates and hidden data streams, their tools are designed to spoof antivirus process names, attempting to disguise themselves as legitimate security software to bypass behavioral flags and avoid detection. Process hollowing and injection techniques are also part of their evasion toolkit.

Lateral movement is achieved using specialized tools that collect critical information such as credentials, group management policies, and system logs. This data helps them refine subsequent attacks and ensure the successful execution of their malware across the network. Exfiltration of stolen data has been observed to utilize various methods, including the use of hijacked satellite connections.

Perhaps one of the most remarkable aspects of their operations is their persistence strategy. Even if a victim company succumbs to their blackmail and contracts the Poseidon Group as a security firm, the group may deliberately maintain their malware on the network or initiate new infections later. This ensures their continued access and ability to collect data, extending beyond any contractual obligations.

Notable Campaigns

The Poseidon Group operated largely under the radar for many years, with individual campaigns often detected and remediated without linking them to a single overarching threat actor. It wasn’t until late 2015 that Kaspersky’s Global Research and Analysis Team (GReAT) managed to connect the disparate fragments of attacks, publicly exposing the Poseidon Group in February 2016. This exposure revealed a long-running series of targeted attacks dating back to at least 2005, characterized by their unique extortion-as-consulting scheme. While specific named campaigns beyond this general operational model are not widely publicized, the very nature of their bespoke attacks and evolving toolkit demonstrates a continuous, adaptable effort over more than a decade.

Associated Malware & Tools

The group is known for its “boutique” approach to malware development, often engineering bespoke implants customized for each individual victim. This tailored methodology complicates attribution, as it results in unique samples with minimal shared code fingerprints across different engagements.

Key tools in their arsenal include:

  • Information Gathering Tool (IGT): This is a sophisticated and modular framework serving as their primary reconnaissance capability. It’s designed for comprehensive domain enumeration immediately post-compromise, enabling discovery of accounts, processes, services, and network connections. The IGT extensively uses PowerShell-based components.
  • Custom Remote Access Trojans (RATs): Poseidon Group deploys unique RATs built specifically for each campaign. These RATs feature custom packers, variable code signing, and distinct encryption routines, further hindering detection and analysis.
  • Mimikatz and Derivatives: For advanced credential extraction, the group leverages Mimikatz and similar tools to dump credentials from memory and target domain and database servers.

It’s worth noting that while other threat groups, such as APT36 (Transparent Tribe), have been observed using malware they also refer to as “Poseidon malware” in recent campaigns targeting UNIX-based systems and government employees in India, this appears to be a separate family of malware and activity unrelated to the commercially motivated, Windows-targeting Poseidon Group (G0033).

Current Status

The Poseidon Group has demonstrated remarkable longevity, with a confirmed operational history stretching over a decade, from at least 2005 through the time of its public exposure in 2016. The unique, adaptable nature of their “extortion-as-consulting” business model and bespoke tooling allowed them to operate with a high degree of stealth for many years. While detailed public reports of new, specific campaigns have been less frequent since the initial Kaspersky exposure in 2016, the MITRE ATT&CK entry for G0033 was last modified as recently as April 25, 2025, indicating that the threat intelligence community continues to track and update information regarding this group. This suggests that the Poseidon Group remains a relevant and potentially active threat, maintaining its unique and persistent modus operandi in the cyber mercenary landscape.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call