S0491: StrongPity
StrongPity is an information stealing malware used by PROMETHIUM.[1][2]
Analyst context for executives and security teams
StrongPity is a Windows information-stealing malware family associated in ATT&CK with PROMETHIUM. Its decision value is less about a single indicator and more about the pattern: user-driven execution, persistence through Windows services or Run keys, discovery of files/processes/network/security tools, stealthy naming/encoding/deletion, and automated collection/exfiltration over web/C2 channels. For leaders, this maps directly to data-loss risk, endpoint resilience, SOC visibility, and incident response readiness.
Executive priority
Prioritize StrongPity as a validation case for whether the organization can detect and investigate Windows-based espionage-style malware before sensitive information leaves the environment. Ask whether endpoint logging, PowerShell visibility, service/registry monitoring, web egress controls, and exfiltration investigation procedures produce audit-ready evidence. Because ATT&CK provides no official detection text for this malware, coverage should be proven through control validation rather than assumed from tool deployment.
Technical view
Defenders should validate detections around the ATT&CK relationships: malicious-file execution, PowerShell use, service execution and Windows service persistence, Registry Run Keys/Startup Folder persistence, process/network/file discovery, security software discovery, ingress tool transfer, automated collection, custom archiving, automated exfiltration, exfiltration over C2, web-protocol C2, multi-hop proxy behavior, file deletion, hidden windows, masqueraded tasks/services/resources, encoded files, and code signing abuse. Treat this as a Windows endpoint plus network-egress detection problem, with investigation pivots from process lineage to persistence artifacts, collected/archive files, and outbound web communications.
Likely telemetry
- Windows endpoint process creation and parent/child process lineage
- PowerShell execution logs and command-line telemetry
- Windows service creation, modification, and service-control execution events
- Registry Run Key and Startup Folder change events
- File creation, deletion, rename, archive, and encoded/encrypted artifact telemetry
Detection direction
- Do not rely on a StrongPity-specific signature alone; ATT&CK supplies no official detection guidance for this object.
- Correlate suspicious user-opened files with follow-on PowerShell, service creation, Run key changes, file discovery, and outbound web traffic.
- Tune for service and registry persistence that uses legitimate-looking names or locations, while accounting for administrative software deployment false positives.
- Review signed binaries and trusted-looking file paths critically; code signing and masquerading relationships mean apparent legitimacy is not sufficient.
- Monitor for staged collection patterns: repeated file enumeration, custom archives or encoded files, then outbound transfer over web/C2 channels.
Mitigation priorities
- Harden initial execution paths by controlling untrusted files and reducing user execution of suspicious attachments or downloads.
- Enforce least privilege and application control where feasible to limit PowerShell misuse, service creation, and unauthorized persistence.
- Monitor and restrict high-risk persistence locations, including Windows services, Run keys, and Startup folders.
- Strengthen egress governance with proxy/DNS logging, allowlisting where appropriate, and investigation workflows for unusual web-based outbound traffic.
- Protect sensitive data with collection/exfiltration controls, including data classification, access controls, and alerting on unusual archival or transfer behavior.
Analyst notes and limits
ATT&CK identifies StrongPity as information-stealing malware used by PROMETHIUM and links it to a PROMETHIUM campaign context, including a campaign description that notes Android targeting while the supplied malware platform is Windows. The most defensible defensive value comes from the listed technique relationships, not from unsupported assumptions about current activity, victimology, or indicators.
The official object has no detection text, no aliases, and no malware-specific tactics listed. External references are provided, but this take is limited to the supplied ATT&CK fields, references, and relationships. Local telemetry, asset criticality, identity context, and egress architecture are required to determine actual exposure and detection coverage.
StrongPity
StrongPity is an information stealing malware used by PROMETHIUM.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1020 | Automated Exfiltration | StrongPity can automatically exfiltrate collected documents to the C2 server.CitationTalos Promethium June 2020CitationBitdefender StrongPity June 2020 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | StrongPity has the ability to hide the console window for its document search module from the user.CitationTalos Promethium June 2020 |
| Enterprise | T1571 | Non-Standard Port | StrongPity has used HTTPS over port 1402 in C2 communication.CitationBitdefender StrongPity June 2020 |
| Enterprise | T1016 | System Network Configuration Discovery | StrongPity can identify the IP address of a compromised host.CitationTalos Promethium June 2020 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | StrongPity can exfiltrate collected documents through C2 channels.CitationTalos Promethium June 2020CitationBitdefender StrongPity June 2020 |
| Enterprise | T1560.003 | Archive via Custom Method Sub-technique | StrongPity can compress and encrypt archived files into multiple .sft files with a repeated xor encryption scheme.CitationTalos Promethium June 2020CitationBitdefender StrongPity June 2020 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | StrongPity has named services to appear legitimate.CitationTalos Promethium June 2020CitationBitdefender StrongPity June 2020 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | StrongPity has used encrypted strings in its dropper component.CitationTalos Promethium June 2020CitationBitdefender StrongPity June 2020 |
| Enterprise | T1204.002 | Malicious File Sub-technique | StrongPity has been executed via compromised installation files for legitimate software including compression applications, security software, browsers, file recovery applications, and other tools and utilities.CitationTalos Promethium June 2020CitationBitdefender StrongPity June 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | StrongPity can use HTTP and HTTPS in C2 communications.CitationTalos Promethium June 2020CitationBitdefender StrongPity June 2020 |
| Enterprise | T1070.004 | File Deletion Sub-technique | StrongPity can delete previously exfiltrated files from the compromised host.CitationTalos Promethium June 2020CitationBitdefender StrongPity June 2020 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | StrongPity can identify if ESET or BitDefender antivirus are installed before dropping its payload.CitationTalos Promethium June 2020 |
| Enterprise | T1083 | File and Directory Discovery | StrongPity can parse the hard drive on a compromised host to identify specific file extensions.CitationTalos Promethium June 2020 |
| Enterprise | T1119 | Automated Collection | StrongPity has a file searcher component that can automatically collect and archive files based on a predefined list of file extensions.CitationBitdefender StrongPity June 2020 |
| Enterprise | T1059.001 | PowerShell Sub-technique | StrongPity can use PowerShell to add files to the Windows Defender exclusions list.CitationTalos Promethium June 2020 |
| Enterprise | T1543.003 | Windows Service Sub-technique | StrongPity has created new services and modified existing services for persistence.CitationTalos Promethium June 2020 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | StrongPity has encrypted C2 traffic using SSL/TLS.CitationTalos Promethium June 2020 |
| Enterprise | T1680 | Local Storage Discovery | StrongPity can identify the hard disk volume serial number on a compromised host.CitationTalos Promethium June 2020 |
| Enterprise | T1685 | Disable or Modify Tools | StrongPity can add directories used by the malware to the Windows Defender exclusions list to prevent detection.CitationTalos Promethium June 2020 |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | StrongPity can use multiple layers of proxy servers to hide terminal nodes in its infrastructure.CitationBitdefender StrongPity June 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | StrongPity can download files to specified targets.CitationBitdefender StrongPity June 2020 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | StrongPity can use the |
| Enterprise | T1057 | Process Discovery | StrongPity can determine if a user is logged in by checking to see if explorer.exe is running.CitationTalos Promethium June 2020 |
| Enterprise | T1569.002 | Service Execution Sub-technique | StrongPity can install a service to execute itself as a service.CitationTalos Promethium June 2020CitationBitdefender StrongPity June 2020 |
| Enterprise | T1553.002 | Code Signing Sub-technique | StrongPity has been signed with self-signed certificates.CitationBitdefender StrongPity June 2020 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | StrongPity has been bundled with legitimate software installation files for disguise.CitationTalos Promethium June 2020 |
Groups, software, and campaigns
G0056: PROMETHIUM
PROMETHIUM is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. PROMETHIUM has demonstrated similarity to another activity group called NEODYMIUM due to overlapping victim and campaign characteristics.[1][2][3]
C0033: C0033
C0033 was a PROMETHIUM campaign during which they used StrongPity to target Android users. C0033 was the first publicly documented mobile campaign for PROMETHIUM, who previously used Windows-based techniques.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | b28bdee41f6f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Bitdefender StrongPity June 2020
Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
Open source URL -
[2]
Talos Promethium June 2020
Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
Open source URL -
[3]
mitre-attack S0491Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.