C0033: C0033
C0033 was a PROMETHIUM campaign during which they used StrongPity to target Android users. C0033 was the first publicly documented mobile campaign for PROMETHIUM, who previously used Windows-based techniques.[1]
Analyst context for executives and security teams
C0033 matters because it shows a previously Windows-associated espionage actor, PROMETHIUM, using StrongPity in a publicly documented mobile campaign targeting Android users. For leaders, the decision point is whether mobile devices are treated as part of the monitored enterprise attack surface, especially where phones may hold contacts, SMS messages, call logs, notifications, location data, microphone access, and authentication prompts.
Executive priority
Prioritize this as a mobile security and incident-readiness gap check rather than as a claim of current exposure. The ATT&CK relationships point to discovery, collection, persistence, defense evasion, command-and-control, and exfiltration behaviors on mobile devices. Executives should ask whether corporate mobile management, BYOD policy, phishing/drive-by exposure, mobile app vetting, and incident response evidence collection can support investigations involving Android devices and sensitive user data.
Technical view
ATT&CK provides no official detection text for C0033, so SOC and IR teams should validate coverage against the related mobile behaviors: drive-by compromise, obfuscated files, application/file/system/network discovery, broadcast receiver persistence, disabling or modifying tools, access to notifications, audio, location, call logs, contacts, SMS, archiving collected data, web-protocol C2, symmetric encryption, ingress tool transfer, and exfiltration over the C2 channel. StrongPity is also related as information-stealing malware used by PROMETHIUM, with a Windows platform noted for the software relationship, while this campaign description specifically references Android users.
Likely telemetry
- Mobile device management or enterprise mobility management inventory and compliance state
- Mobile threat defense alerts, if deployed
- Android application inventory, package names, signing metadata, requested permissions, and install source
- Permission grants for microphone, location, contacts, SMS, call log, notification access, and background location where available
- Device security state such as rooted status, disabled security tooling, and policy tampering indicators
Detection direction
- Because MITRE supplies no campaign-specific detection guidance, map detections to the related techniques rather than relying on the campaign name alone.
- Validate whether mobile telemetry can show risky permission combinations, suspicious app naming or package impersonation, and apps matching legitimate names or locations.
- Tune for context: many mobile apps legitimately use web protocols, encryption, location, notifications, contacts, or microphone permissions, so detections should combine permissions, install source, reputation, behavior, and network patterns.
- Look for gaps where BYOD devices, unmanaged Android devices, encrypted C2 traffic, or limited mobile log retention prevent investigation.
- Use the relationship context to prioritize tests for Android-focused collection and exfiltration behaviors, while avoiding unsupported assumptions about all platforms in the environment.
Mitigation priorities
- Establish or validate mobile device governance for corporate and BYOD devices, including inventory, enrollment expectations, and minimum security posture.
- Restrict installation from untrusted sources where policy allows and review mobile app vetting processes for apps requesting sensitive permissions.
- Harden mobile access to enterprise resources with conditional access based on device compliance and security posture.
- Ensure users and help desks know how to report suspicious mobile app prompts, unexpected permission requests, and unusual device behavior.
- Prepare IR procedures for mobile evidence collection, containment, user privacy handling, and credential/session review after suspected mobile compromise.
Analyst notes and limits
The supplied ATT&CK object identifies C0033 as a PROMETHIUM campaign using StrongPity to target Android users and links it to multiple mobile ATT&CK techniques. The most useful defensive value is not the campaign label itself, but the reminder to test whether mobile devices are visible to SOC, identity, cloud access, and IR workflows.
Official detection is not provided, tactics and platforms are not specified on the campaign object, and the description is brief. Relationships provide technique and software context, but local exposure, affected users, infrastructure indicators, and detection efficacy require environment-specific evidence and referenced-source review.
C0033
C0033 was a PROMETHIUM campaign during which they used StrongPity to target Android users. C0033 was the first publicly documented mobile campaign for PROMETHIUM, who previously used Windows-based techniques.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
G0056: PROMETHIUM
PROMETHIUM is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. PROMETHIUM has demonstrated similarity to another activity group called NEODYMIUM due to overlapping victim and campaign characteristics.[1][2][3]
S0491: StrongPity
StrongPity is an information stealing malware used by PROMETHIUM.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | af8eededdb27… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
welivesec_strongpity
Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.
Open source URL -
[2]
mitre-attack C0033Open source URL
-
[3]
securelist_strongpity
Baumgartner, K. (2016, October 3). On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users. Retrieved March 28, 2024.
Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.