PROMETHIUM is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. PROMETHIUM has demonstrated similarity to another activity group called NEODYMIUM due to overlapping victim and campaign characteristics.[1][2][3]

ID: G0056
Associated Groups: StrongPity
Version: 2.0
Created: 16 January 2018
Last Modified: 22 October 2020

Associated Group Descriptions

Name Description

The name StrongPity has also been used to describe the group and the malware used by the group.[4][3]

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

PROMETHIUM has used Registry run keys to establish persistence.[3]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

PROMETHIUM has created new services and modified existing services for persistence.[4]

Enterprise T1587 .002 Develop Capabilities: Code Signing Certificates

PROMETHIUM has created self-signed certificates to sign malicious installers.[4]

.003 Develop Capabilities: Digital Certificates

PROMETHIUM has created self-signed digital certificates for use in HTTPS C2 traffic.[3]

Enterprise T1189 Drive-by Compromise

PROMETHIUM has used watering hole attacks to deliver malicious versions of legitimate installers.[4]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

PROMETHIUM has named services to appear legitimate.[3][4]

.005 Masquerading: Match Legitimate Name or Location

PROMETHIUM has disguised malicious installer files by bundling them with legitimate software installers.[3][4]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

PROMETHIUM has signed code with self-signed certificates.[4]

Enterprise T1205 .001 Traffic Signaling: Port Knocking

PROMETHIUM has used a script that configures the knockd service and firewall to only accept C2 connections from systems that use a specified sequence of knock ports.[4]

Enterprise T1204 .002 User Execution: Malicious File

PROMETHIUM has attempted to get users to execute compromised installation files for legitimate software including compression applications, security software, browsers, file recovery applications, and other tools and utilities.[3][4]

Enterprise T1078 .003 Valid Accounts: Local Accounts

PROMETHIUM has created admin accounts on a compromised host.[4]