Poseidon is a Portuguese-speaking targeted attack group that has been considered active since at least 2005, while the very first sample found by Kaspersky points to 2001. Poseidon's specialty is creating "boutique" malware modifications for each targeted attack, making it difficult for researchers to connect the pieces of the puzzle over years of activity and understand them as a whole.

The main functionality of the malware is privilege escalation and information gathering from company networks through the use of spear-phishing attacks packaged with embedded, executable elements inside Office documents, along with extensive lateral movement tools.

The information exfiltrated is then leveraged to blackmail victim companies into contracting the Poseidon Group as a security firm. The Poseidon Group may continue its infection of the victim company while under contract, and potentially initiate additional infections at a later time, persisting on the network to continue data collection beyond its contractual obligation.