PROMETHIUM

Promethium, also known as StrongyPity, is a Turkish-speaking threat actor that has been active since at least 2012. Despite multiple exposures over the years, this entity has remained undeterred and continued to expand its malicious activities. Promethium, along with another threat actor named Neodymium, has utilized zero-day exploits to execute code and download malicious payloads. These groups have been linked to state-sponsored threats, with their primary motive being the gathering of information about specific individuals rather than monetary gain or economic espionage. In May 2016, both Promethium and Neodymium began targeted attack campaigns against certain individuals in Europe. They employed an unusual tactic: they distributed links through instant messengers that led recipients to malicious documents. Once opened, these documents invoked exploit code to launch Truvasys on the victims' computers. This behavior was described as "unusual" by Microsoft researchers, as these groups launched attacks almost simultaneously in the same region, targeting individuals without apparent common affiliations. Windows Defender ATP and Office 365 ATP have implemented rules based on Indicators of Compromise (IOCs) and threat intelligence specific to Promethium and Neodymium. More detailed information about these threat actors can be found in the Microsoft Security Intelligence Report volume 21. In conclusion, despite the exposure and countermeasures taken against it, Promethium remains a dedicated and resilient threat actor, persistently pursuing its agenda.