NEODYMIUM

Neodymium, a threat actor identified by Microsoft and associated with BlackOasis' operations, is known for its unique behavior in the cybersecurity landscape. Unlike many other activity groups primarily focused on monetary gain or economic espionage, Neodymium, alongside another group known as Promethium, launches campaigns to gather information about specific individuals without any common affiliations. This was particularly evident in early May 2016, when both groups initiated attack campaigns targeting distinct individuals in Europe. Their modus operandi involved using a shared zero-day exploit to execute code and download malicious payloads, an approach uncommon among similar entities. The advanced malware Wingbird, utilized by Neodymium, exhibits several behaviors that trigger alerts in Windows Defender ATP. Moreover, both Windows Defender ATP and Office 365 ATP employ rules based on indicators of compromise (IOCs) and threat intelligence specific to Promethium and Neodymium. Notably, Neodymium employed well-crafted spear-phishing emails carrying attachments that delivered the exploit code, leading to the installation of Wingbird on the victims' computers. Further details about Promethium and Neodymium, including their indicators of compromise, are documented in the Microsoft Security Intelligence Report volume 21. Microsoft researchers have characterized Neodymium's activities as unusual due to their focus on information gathering rather than financial or economic gains. Furthermore, senior security researcher Brian Bartholomew from Kaspersky noted that the espionage activities of BlackOasis, closely linked with Neodymium, included non-traditional targets, thereby crossing the boundary of lawful surveillance.