G0033: Poseidon Group
Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm. [1]
Analyst context for executives and security teams
Poseidon Group matters because MITRE describes it as a long-running Portuguese-speaking threat group associated with cyber espionage and alleged blackmail using exfiltrated victim information. For leaders, the decision point is not just malware detection; it is whether the organization can quickly prove what data, credentials, and systems were accessed if an intrusion reaches discovery, credential dumping, or exfiltration stages.
Executive priority
Prioritize readiness for credential compromise, internal reconnaissance, and evidence preservation. The ATT&CK relationships tied to this group include OS credential dumping, account discovery, process and service discovery, network connection discovery, PowerShell execution, and masquerading. These behaviors can undermine identity trust, delay incident scoping, and complicate legal, regulatory, and business continuity decisions after a suspected breach or extortion attempt.
Technical view
SOC and IR teams should validate coverage around the related ATT&CK techniques rather than relying on a group name. Confirm visibility for credential dumping indicators, local and domain account enumeration, service/process/network discovery, PowerShell execution, and suspicious file or resource names that mimic legitimate locations. Because the group object itself has no official MITRE detection text and no specified platforms, detection engineering should be mapped to the related techniques and to the organization’s actual Windows, Linux, macOS, cloud, and infrastructure exposure where applicable.
Likely telemetry
- Endpoint process creation and command-line telemetry
- PowerShell execution and script logging where Windows is in scope
- Authentication, account enumeration, and directory service logs
- Credential access signals from memory, OS caches, or protected credential stores
- Service, process, scheduled task, and network connection discovery events
Detection direction
- Tune for combinations of discovery behaviors followed by credential access rather than isolated administrative commands only.
- Baseline legitimate administrator use of account, service, process, network, and PowerShell utilities to reduce false positives.
- Validate whether endpoint telemetry captures command line, parent-child process context, user identity, host role, and execution path.
- Review blind spots on non-Windows systems and cloud or virtualized environments where related discovery techniques may also apply.
- Use the group relationship set as threat-informed context, but require local evidence before escalating an event as Poseidon Group activity.
Mitigation priorities
- Harden credential storage and restrict privileged credential exposure on endpoints and servers.
- Apply least privilege and monitor use of local and domain accounts, especially privileged groups.
- Limit and log administrative scripting such as PowerShell according to business need.
- Improve endpoint visibility for discovery commands, suspicious process execution, and masqueraded files or locations.
- Prepare incident response playbooks for credential theft and data exposure scenarios, including evidence collection needed for legal, regulatory, and extortion-related decisions.
Analyst notes and limits
MITRE’s description highlights a history of exfiltrated information being used to pressure victims into contracting the group as a security firm. That makes incident scoping, data exposure analysis, and executive communications especially important. The most actionable defensive content comes from the listed technique relationships, not from the group object’s own detection field.
The supplied ATT&CK group object does not specify platforms, tactics, labels, or official detection guidance. The related techniques provide defensive direction, but they do not prove current activity, targeting, or environment-specific exposure. Local telemetry, asset inventory, and incident evidence are required for any operational conclusion.
Poseidon Group
Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1049 | System Network Connections Discovery | Poseidon Group obtains and saves information about victim network interfaces and addresses.CitationKaspersky Poseidon Group |
| Enterprise | T1003 | OS Credential Dumping | Poseidon Group conducts credential dumping on victims, with a focus on obtaining credentials belonging to domain and database servers.CitationKaspersky Poseidon Group |
| Enterprise | T1007 | System Service Discovery | After compromising a victim, Poseidon Group discovers all running services.CitationKaspersky Poseidon Group |
| Enterprise | T1087.002 | Domain Account Sub-technique | Poseidon Group searches for administrator accounts on both the local victim machine and the network.CitationKaspersky Poseidon Group |
| Enterprise | T1087.001 | Local Account Sub-technique | Poseidon Group searches for administrator accounts on both the local victim machine and the network.CitationKaspersky Poseidon Group |
| Enterprise | T1057 | Process Discovery | After compromising a victim, Poseidon Group lists all running processes.CitationKaspersky Poseidon Group |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Poseidon Group tools attempt to spoof anti-virus processes as a means of self-defense.CitationKaspersky Poseidon Group |
| Enterprise | T1059.001 | PowerShell Sub-technique | The Poseidon Group's Information Gathering Tool (IGT) includes PowerShell components.CitationKaspersky Poseidon Group |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | c2ed00ecbd53… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky Poseidon Group
Kaspersky Lab's Global Research and Analysis Team. (2016, February 9). Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage. Retrieved March 16, 2016.
Open source URL -
[2]
Poseidon Group
(Citation: Kaspersky Poseidon Group)
-
[3]
mitre-attack G0033Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.