{
	"id": "3d921059-638e-41dc-ab8e-0e4d17eed4f5",
	"created_at": "2026-04-06T00:06:27.519429Z",
	"updated_at": "2026-04-10T03:29:28.400426Z",
	"deleted_at": null,
	"sha1_hash": "237f4fd42b503b58f7ad71170c59e56973fb8b96",
	"title": "Promethium, StrongPity - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 71983,
	"plain_text": "Promethium, StrongPity - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 18:52:28 UTC\r\nHome \u003e List all groups \u003e Promethium, StrongPity\r\n APT group: Promethium, StrongPity\r\nNames\r\nPromethium (Microsoft)\r\nStrongPity (Kaspersky)\r\nAPT-C-41 (Qihoo 360)\r\nMagenta Dust (Microsoft)\r\nG0056 (MITRE)\r\nCountry Turkey\r\nMotivation Information theft and espionage\r\nFirst seen 2012\r\nDescription\r\nPromethium is an activity group that has been active since at least 2012. The group\r\nconducted a campaign in May 2016 and has heavily targeted Turkish victims.\r\nPromethium has demonstrated similarity to another activity group called\r\nNeodymium due to overlapping victim and campaign characteristics.\r\n(Microsoft) Promethium is an activity group that has been active as early as 2012.\r\nThe group primarily uses Truvasys, a first-stage malware that has been in circulation\r\nfor several years. Truvasys has been involved in several attack campaigns, where it\r\nhas masqueraded as one of server common computer utilities, including WinUtils,\r\nTrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware\r\nevolved with additional features—this shows a close relationship between the\r\nactivity groups behind the campaigns and the developers of the malware.\r\nObserved\r\nCountries: Algeria, Belgium, Canada, Colombia, Cote d'Ivoire, Egypt, France,\r\nGermany, India, Iraq, Italy, Morocco, Netherlands, Poland, Senegal, South Africa,\r\nSyria, Tunisia, Turkey, USA, Vietnam.\r\nTools used StrongPity, StrongPity2, StrongPity3, Truvasys.\r\nOperations performed Mar 2018 Sandvine’s PacketLogic Devices Used to Deploy Government\r\nSpyware in Turkey and Redirect Egyptian Users to Affiliate Ads?\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=c33e0a3e-f5b9-46e2-9fab-f19869292c11\r\nPage 1 of 3\n\nMar 2018\nTwo months after the Citizen Lab report, Cylance found new\nPromethium/StrongPity activity, utilizing new infrastructure. The\nobserved domains all appeared to have been registered about two\nweeks after Citizen Lab’s report. The malware has continued to adapt\nas new information is published. Minimal effort and code changes\nwere all that was required to stay out of the limelight. Cylance\nobserved new domains, new IP addresses, filename changes, and small\ncode obfuscation changes.\nJul 2019\nIn early July 2019 Alien Labs began identifying new samples\nresembling StrongPity. The new malware samples have been\nunreported and generally appear to have been created and deployed to\ntargets following a toolset rebuild in response to the above public\nreporting during the fourth quarter of 2018.\n2019\nPROMETHIUM extends global reach with StrongPity3 APT\nFeb 2020\nWe recently detected a new, ongoing data exfiltration campaign\ntargeting victims in Turkey that started in February 2020.\nJul 2021\nStrongPity APT Group Deploys Android Malware for the First Time\nNov 2021\nA new StrongPity variant hides behind Notepad++ installation\nNov 2021\nStrongPity espionage campaign targeting Android users\nInformation https://apt.etda.or.th/cgi-bin/showcard.cgi?u=c33e0a3e-f5b9-46e2-9fab-f19869292c11\nPage 2 of 3\n\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=c33e0a3e-f5b9-46e2-9fab-f19869292c11\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=c33e0a3e-f5b9-46e2-9fab-f19869292c11\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=c33e0a3e-f5b9-46e2-9fab-f19869292c11"
	],
	"report_names": [
		"showcard.cgi?u=c33e0a3e-f5b9-46e2-9fab-f19869292c11"
	],
	"threat_actors": [
		{
			"id": "27485543-d2e7-4053-a660-157489732cbb",
			"created_at": "2022-10-25T16:07:23.895403Z",
			"updated_at": "2026-04-10T02:00:04.781765Z",
			"deleted_at": null,
			"main_name": "Neodymium",
			"aliases": [
				"G0055"
			],
			"source_name": "ETDA:Neodymium",
			"tools": [
				"Wingbird"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "67fbc7d7-ba8e-4258-b53c-9a5d755e1960",
			"created_at": "2022-10-25T16:07:24.077859Z",
			"updated_at": "2026-04-10T02:00:04.860725Z",
			"deleted_at": null,
			"main_name": "Promethium",
			"aliases": [
				"APT-C-41",
				"G0056",
				"Magenta Dust",
				"Promethium",
				"StrongPity"
			],
			"source_name": "ETDA:Promethium",
			"tools": [
				"StrongPity",
				"StrongPity2",
				"StrongPity3",
				"Truvasys"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "400a3efc-44a1-4d83-a724-cd16818328f9",
			"created_at": "2023-01-06T13:46:38.516115Z",
			"updated_at": "2026-04-10T02:00:03.008975Z",
			"deleted_at": null,
			"main_name": "NEODYMIUM",
			"aliases": [
				"G0055"
			],
			"source_name": "MISPGALAXY:NEODYMIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "cbede712-4cc3-47c6-bf78-92fd9f1beac6",
			"created_at": "2022-10-25T15:50:23.777222Z",
			"updated_at": "2026-04-10T02:00:05.399303Z",
			"deleted_at": null,
			"main_name": "PROMETHIUM",
			"aliases": [
				"PROMETHIUM",
				"StrongPity"
			],
			"source_name": "MITRE:PROMETHIUM",
			"tools": [
				"Truvasys",
				"StrongPity"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "c11cbeb5-461f-4bd8-a86b-f57e471a664d",
			"created_at": "2022-10-25T15:50:23.257383Z",
			"updated_at": "2026-04-10T02:00:05.414047Z",
			"deleted_at": null,
			"main_name": "NEODYMIUM",
			"aliases": [
				"NEODYMIUM"
			],
			"source_name": "MITRE:NEODYMIUM",
			"tools": [
				"Wingbird"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "4660477f-333f-4a18-b49b-0b4d7c66d482",
			"created_at": "2023-01-06T13:46:38.511962Z",
			"updated_at": "2026-04-10T02:00:03.007466Z",
			"deleted_at": null,
			"main_name": "PROMETHIUM",
			"aliases": [
				"StrongPity",
				"G0056"
			],
			"source_name": "MISPGALAXY:PROMETHIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433987,
	"ts_updated_at": 1775791768,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/237f4fd42b503b58f7ad71170c59e56973fb8b96.pdf",
		"text": "https://archive.orkl.eu/237f4fd42b503b58f7ad71170c59e56973fb8b96.txt",
		"img": "https://archive.orkl.eu/237f4fd42b503b58f7ad71170c59e56973fb8b96.jpg"
	}
}