NEODYMIUM

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Neodymium, a threat actor identified by Microsoft and associated with BlackOasis' operations, is known for its unique behavior in the cybersecurity landscape. Unlike many other activity groups primarily focused on monetary gain or economic espionage, Neodymium, alongside another group known as Promethium, launches campaigns to gather information about specific individuals without any common affiliations. This was particularly evident in early May 2016, when both groups initiated attack campaigns targeting distinct individuals in Europe. Their modus operandi involved using a shared zero-day exploit to execute code and download malicious payloads, an approach uncommon among similar entities. The advanced malware Wingbird, utilized by Neodymium, exhibits several behaviors that trigger alerts in Windows Defender ATP. Moreover, both Windows Defender ATP and Office 365 ATP employ rules based on indicators of compromise (IOCs) and threat intelligence specific to Promethium and Neodymium. Notably, Neodymium employed well-crafted spear-phishing emails carrying attachments that delivered the exploit code, leading to the installation of Wingbird on the victims' computers. Further details about Promethium and Neodymium, including their indicators of compromise, are documented in the Microsoft Security Intelligence Report volume 21. Microsoft researchers have characterized Neodymium's activities as unusual due to their focus on information gathering rather than financial or economic gains. Furthermore, senior security researcher Brian Bartholomew from Kaspersky noted that the espionage activities of BlackOasis, closely linked with Neodymium, included non-traditional targets, thereby crossing the boundary of lawful surveillance.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Wingbird
1
Wingbird is a dangerous malware that can infect computers through downloads, emails, or websites without the user's knowledge. It is used by NEODYMIUM, an activity group that uses this backdoor malware to execute malicious actions on victim computers. Wingbird triggers several alerts in Windows Defe
BlackOasis
1
BlackOasis is a prominent threat actor known for its execution of actions with malicious intent, primarily through the use of zero-day exploits. The cybersecurity industry first became aware of BlackOasis' activities in May 2016 while investigating an Adobe Flash zero day. Notably, this group has re
PROMETHIUM
1
Promethium, also known as StrongyPity, is a Turkish-speaking threat actor that has been active since at least 2012. Despite multiple exposures over the years, this entity has remained undeterred and continued to expand its malicious activities. Promethium, along with another threat actor named Neody
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Microsoft
Kaspersky
Exploit
Backdoor
Payload
Windows
Espionage
Phishing
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
FinFisherUnspecified
1
FinFisher, also known as FinSpy, is a notorious malware developed by the European company FinFisher. This malicious software has been used extensively for cyber espionage, exploiting vulnerabilities in systems to infiltrate and surveil targets, often without their knowledge. The malware infects syst
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the NEODYMIUM Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
10 months ago
Nuclear Fusion and the Future of Energy
CERT-EU
a year ago
New database quantifies materials needed to meet big clean energy goals
MITRE
a year ago
Middle Eastern hacking group is using FinFisher malware to conduct international espionage
MITRE
a year ago
Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe - Microsoft Security Blog