G0056: PROMETHIUM
PROMETHIUM is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. PROMETHIUM has demonstrated similarity to another activity group called NEODYMIUM due to overlapping victim and campaign characteristics.[1][2][3]
Analyst context for executives and security teams
PROMETHIUM, also known as StrongPity, is an espionage-focused activity group documented by ATT&CK as active since at least 2012, with global operations and a heavy emphasis on Turkish targets. For defenders, the decision value is not the name itself but the pattern: user-driven initial access, drive-by exposure, signed or trust-looking tooling, masqueraded services/tasks, Windows persistence, local account abuse, and information-stealing malware. Organizations with relevant regional exposure, high-risk users, or sensitive data should use this group profile to test whether endpoint, identity, web, certificate, and mobile monitoring can connect those behaviors into an investigation.
Executive priority
Treat PROMETHIUM as a planning scenario for espionage-driven compromise rather than a generic malware alert. Leadership should ask whether the organization can preserve business continuity and investigation confidence when a trusted-looking application, signed binary, local account, service, or startup item is abused. Priority areas are endpoint visibility, identity hygiene for local accounts, browser/download controls, certificate trust review, and incident response readiness for Windows-based intrusions and Android-user targeting noted in campaign C0033.
Technical view
ATT&CK links PROMETHIUM to Truvasys first-stage malware, StrongPity information stealing malware, and techniques including Drive-by Compromise, Malicious File execution, Local Accounts, Windows Service persistence, Registry Run Keys/Startup Folder, masqueraded tasks/services, legitimate-looking resource names or locations, port knocking, and code/digital certificate resource development or abuse. SOC and IR teams should validate detection paths around suspicious service creation or modification, run key changes, startup folder additions, anomalous local account use, browser-originated downloads that become executed files, unusual signed binaries, lookalike file or service names, and network patterns consistent with hidden command-and-control such as port-knocking-like connection sequences. Because C0033 is documented as a PROMETHIUM campaign using StrongPity to target Android users, mobile telemetry and MDM evidence should be considered where Android users are in scope.
Likely telemetry
- Endpoint process creation, parent-child process lineage, and file execution events, especially from user download or browser contexts
- Windows service creation, modification, service binary path, service display name, and related registry changes
- Registry Run Key and Startup Folder modification telemetry
- Local account logon, privilege use, creation, modification, and anomalous authentication patterns
- File metadata, path, hash, signer, certificate, and reputation data for binaries and scripts
Detection direction
- Map detections to behavior chains rather than only to group names or malware names; PROMETHIUM relationships span initial access, execution, persistence, stealth, credential/account abuse, and command-and-control.
- Tune for suspicious Windows service and Run Key changes, but suppress known-good administrative software through allowlists that include signer, path, parent process, and change-control context.
- Review signed binaries with caution: a valid or self-signed certificate should not be treated as proof of legitimacy when execution path, signer age, file location, or behavior is unusual.
- Hunt for masquerading by comparing service/task names, file names, and install locations against known baselines; lookalike naming can evade simple string-based rules.
- Correlate local account usage with asset criticality and expected administration patterns, especially where password reuse or unmanaged local admin practices may reduce investigation confidence.
Mitigation priorities
- Start with visibility: confirm endpoint, identity, web, network, certificate, and mobile logs are collected, retained, and correlated for the relevant business units and regions.
- Reduce initial access exposure through browser/download controls, user execution safeguards, and security awareness for malicious files, while recognizing awareness alone is not sufficient.
- Harden Windows persistence surfaces by monitoring and controlling service creation, Run Keys, Startup Folder changes, and administrative tools that can modify them.
- Improve local account governance: minimize local admin use, remove stale accounts, prevent password reuse, and monitor privileged local authentication.
- Strengthen application control and software trust decisions using signer, path, reputation, and behavioral context rather than relying only on whether a file is signed.
Analyst notes and limits
This take is based on the supplied ATT&CK group object, external references, and relationships. The strongest relationship-driven context is PROMETHIUM’s association with StrongPity, Truvasys, C0033 Android targeting, and the listed ATT&CK techniques. The official group object does not provide dedicated detection guidance, so the detection direction is derived from the related techniques and software descriptions rather than from PROMETHIUM-specific detections.
ATT&CK does not specify platforms or tactics directly on the PROMETHIUM group object, and no official detection text is provided. Related techniques include multiple platforms, but local relevance depends on the organization’s actual Windows, Linux, macOS, container, ESXi, network device, identity provider, and Android footprint. This summary does not establish current activity, attribution against any organization, or guaranteed detection coverage.
PROMETHIUM
PROMETHIUM is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. PROMETHIUM has demonstrated similarity to another activity group called NEODYMIUM due to overlapping victim and campaign characteristics.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1204.002 | Malicious File Sub-technique | PROMETHIUM has attempted to get users to execute compromised installation files for legitimate software including compression applications, security software, browsers, file recovery applications, and other tools and utilities.CitationTalos Promethium June 2020CitationBitdefender StrongPity June 2020 |
| Enterprise | T1587.002 | Code Signing Certificates Sub-technique | PROMETHIUM has created self-signed certificates to sign malicious installers.CitationBitdefender StrongPity June 2020 |
| Enterprise | T1078.003 | Local Accounts Sub-technique | PROMETHIUM has created admin accounts on a compromised host.CitationBitdefender StrongPity June 2020 |
| Enterprise | T1587.003 | Digital Certificates Sub-technique | PROMETHIUM has created self-signed digital certificates for use in HTTPS C2 traffic.CitationTalos Promethium June 2020 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | PROMETHIUM has used Registry run keys to establish persistence.CitationTalos Promethium June 2020 |
| Enterprise | T1543.003 | Windows Service Sub-technique | PROMETHIUM has created new services and modified existing services for persistence.CitationBitdefender StrongPity June 2020 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | PROMETHIUM has disguised malicious installer files by bundling them with legitimate software installers.CitationTalos Promethium June 2020CitationBitdefender StrongPity June 2020 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | PROMETHIUM has named services to appear legitimate.CitationTalos Promethium June 2020CitationBitdefender StrongPity June 2020 |
| Enterprise | T1553.002 | Code Signing Sub-technique | PROMETHIUM has signed code with self-signed certificates.CitationBitdefender StrongPity June 2020 |
| Enterprise | T1205.001 | Port Knocking Sub-technique | PROMETHIUM has used a script that configures the knockd service and firewall to only accept C2 connections from systems that use a specified sequence of knock ports.CitationBitdefender StrongPity June 2020 |
| Enterprise | T1189 | Drive-by Compromise | PROMETHIUM has used watering hole attacks to deliver malicious versions of legitimate installers.CitationBitdefender StrongPity June 2020 |
Groups, software, and campaigns
S0178: Truvasys
Truvasys is first-stage malware that has been used by PROMETHIUM. It is a collection of modules written in the Delphi programming language. [1] [2] [3]
S0491: StrongPity
StrongPity is an information stealing malware used by PROMETHIUM.[1][2]
C0033: C0033
C0033 was a PROMETHIUM campaign during which they used StrongPity to target Android users. C0033 was the first publicly documented mobile campaign for PROMETHIUM, who previously used Windows-based techniques.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.1 | Current bundle | aadc427c6fc8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft NEODYMIUM Dec 2016
Microsoft. (2016, December 14). Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe. Retrieved November 27, 2017.
Open source URL -
[2]
Microsoft SIR Vol 21
Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.
Open source URL -
[3]
Talos Promethium June 2020
Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
Open source URL -
[4]
Bitdefender StrongPity June 2020
Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
Open source URL -
[5]
PROMETHIUM
(Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)
-
[6]
StrongPity
The name StrongPity has also been used to describe the group and the malware used by the group.(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)
-
[7]
mitre-attack G0056Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.