G0055: NEODYMIUM
NEODYMIUM is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims. The group has demonstrated similarity to another activity group called PROMETHIUM due to overlapping victim and campaign characteristics. [1] [2] NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified. [3]
Analyst context for executives and security teams
NEODYMIUM is an ATT&CK group entry with limited public technique detail, but it matters because the official record links it to a May 2016 campaign, heavy targeting of Turkish victims, overlap with PROMETHIUM victim/campaign characteristics, and use of Wingbird, a Windows backdoor related to FinFisher. For leaders, the value is not in assuming current exposure, but in using the entry to test whether threat intelligence, endpoint visibility, and incident response processes can handle sparse-but-relevant group intelligence without over-attributing activity.
Executive priority
Treat NEODYMIUM as a threat-intelligence and readiness validation case. Executives should ask whether the organization can translate limited ATT&CK group reporting into practical controls: endpoint monitoring for related Windows malware where relevant, evidence preservation for suspected targeted intrusions, and governance around attribution confidence. Because ATT&CK provides no tactics, platforms, or detection text for the group itself, budget and risk decisions should be based on local exposure, regional relevance, and confirmed telemetry rather than the group name alone.
Technical view
SOC and IR teams should avoid building detections on the group label by itself. The supplied relationship gives the most actionable pivot: NEODYMIUM used Wingbird in a May 2016 campaign, and Wingbird is described as a Windows backdoor related to FinFisher and reportedly used against individual computers rather than networks. Validate whether endpoint telemetry, malware alerts, file/process/network evidence, and case-management workflows can preserve and correlate indicators from the cited reporting. Also document the intelligence caveat that NEODYMIUM shows similarity to PROMETHIUM and is reportedly closely associated with BlackOasis operations, but the supplied ATT&CK description does not establish those names as aliases.
Likely telemetry
- Windows endpoint detection and response or antivirus events relevant to Wingbird/FinFisher-like backdoor activity
- Process execution, file creation, module load, and persistence-related endpoint records where collected
- Host network connection logs from individual workstations, especially where malware alert context is available
- Malware analysis artifacts and hash/indicator records derived from the cited Microsoft reporting where locally available
- Incident case notes preserving attribution confidence, related group hypotheses, and evidence sources
Detection direction
- Use the Wingbird relationship as the primary ATT&CK-supported detection pivot; do not infer broader NEODYMIUM techniques not supplied in the object.
- Confirm visibility on Windows endpoints because the related Wingbird software lists Windows as its platform, while the NEODYMIUM group object itself does not specify platforms.
- Tune detections around malware/tool evidence and suspicious endpoint behavior, but require corroborating context before labeling an incident as NEODYMIUM.
- Account for false attribution risk due to reported similarity with PROMETHIUM and close association with BlackOasis operations without confirmed alias equivalence in the supplied fields.
- Review whether threat-intelligence ingestion preserves source, date, confidence, and relationship context from Microsoft SIR Vol. 21, Microsoft NEODYMIUM Dec. 2016, and the CyberScoop BlackOasis report.
Mitigation priorities
- Prioritize endpoint hardening and monitoring for systems in scope for targeted individual-computer compromise, especially Windows endpoints where Wingbird relevance exists.
- Ensure malware prevention, EDR alert triage, and incident response playbooks can handle backdoor findings without relying on definitive actor attribution.
- Maintain threat-intelligence governance that separates confirmed relationships from similarity or association claims.
- Use this entry to validate evidence readiness: endpoint logs, malware samples or alerts, analyst notes, and escalation criteria should support later investigation or audit review.
- Base any regional or sector prioritization on local business exposure and the cited reporting, not on unsupported assumptions of current activity.
Analyst notes and limits
The strongest decision value comes from the relationship to Wingbird and the caution around attribution. NEODYMIUM, PROMETHIUM, and BlackOasis are connected in the official description through similarity or reported association, but ATT&CK does not identify them as aliases here. Detection engineering should therefore focus on observable software and host evidence, while threat intelligence teams document confidence and source lineage.
The supplied ATT&CK group object has no official detection text, no tactics, and no platforms. It describes historical reporting, including a May 2016 campaign and Turkish victim targeting, but does not support claims of active exploitation, current targeting, or guaranteed detection coverage. Local environment telemetry and current intelligence are required to assess relevance.
NEODYMIUM
NEODYMIUM is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims. The group has demonstrated similarity to another activity group called PROMETHIUM due to overlapping victim and campaign characteristics. [1] [2] NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified. [3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 37f5b960ad99… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft NEODYMIUM Dec 2016
Microsoft. (2016, December 14). Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe. Retrieved November 27, 2017.
Open source URL -
[2]
Microsoft SIR Vol 21
Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.
Open source URL -
[3]
CyberScoop BlackOasis Oct 2017
Bing, C. (2017, October 16). Middle Eastern hacking group is using FinFisher malware to conduct international espionage. Retrieved February 15, 2018.
Open source URL -
[4]
NEODYMIUM
(Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)
-
[5]
mitre-attack G0055Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.