Poseidon Group

The Poseidon Group is a recognized threat actor in the cybersecurity sphere, known for its complex and tailored cyber-attacks. This group's primary mode of operation involves leveraging its deep understanding of Windows network administration to exploit vulnerabilities within corporate environments. They deploy a customized toolset designed for lateral movement and credential harvesting, often targeting SQL servers and other products common in these settings. The IGT tool, one of their main tools, is used to inventory the system, collecting data from network interfaces, addresses, credentials related to the Domain and database server, services run from the OS, and any other information that could aid in customizing the attack to its victim. Kaspersky Lab has confirmed the previously described operating procedures for the Poseidon Group, detecting their malware with specific detection names. Variants of the Poseidon Group’s malware have been identified, reflecting the group's adaptability and continuous evolution of its malicious tools. These practices underscore the Poseidon Group's sophistication and pose a significant threat to organizations without robust security measures in place. One distinguishing feature of the Poseidon Group is its approach to command and control (C&C) servers. They exhibit an interesting strategy of incorporating redundancies and quickly discarding C&Cs after specific campaigns. While this makes tracking and mitigating their activities challenging, as of the latest reports, it remains unclear whether the C&C servers used by the Poseidon Group are still active. This uncertainty further emphasizes the need for constant vigilance and proactive defense strategies against such advanced threat actors.