{ "id": "bc8dbe57-ee63-476e-b13a-ab4fc095e5a6", "created_at": "2026-04-06T00:10:05.447762Z", "updated_at": "2026-04-10T13:12:02.307745Z", "deleted_at": null, "sha1_hash": "530c3f4fce717537631d434e5136f57562497388", "title": "Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 209097, "plain_text": "Twin zero-day attacks: PROMETHIUM and NEODYMIUM\r\ntarget individuals in Europe | Microsoft Security Blog\r\nBy Microsoft Defender Security Research Team\r\nPublished: 2016-12-14 · Archived: 2026-04-02 11:10:11 UTC\r\nTargeted attacks are typically carried out against individuals to obtain intellectual property and other valuable data\r\nfrom target organizations. These individuals are either directly in possession of the targeted information or are\r\nable to connect to networks where the information resides. Microsoft researchers have encountered twin threat\r\nactivity groups that appear to target individuals for reasons that are quite uncommon.\r\nUnlike many activity groups, which typically gather information for monetary gain or economic espionage,\r\nPROMETHIUM and NEODYMIUM appear to launch campaigns simply to gather information about certain\r\nindividuals. These activity groups are also unusual in that they use the same zero-day exploit to launch attacks at\r\naround the same time in the same region. Their targets, however, appear to be individuals that do not share\r\ncommon affiliations.\r\nActivity group profiles\r\nPROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a\r\nfirst-stage malware that has been in circulation for several years. Truvasys has been involved in several attack\r\ncampaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt,\r\nWinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows\r\na close relationship between the activity groups behind the campaigns and the developers of the malware.\r\nNEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird.\r\nThis backdoor’s characteristics closely match FinFisher, a government-grade commercial surveillance package.\r\nData about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.\r\nSimilarly timed attacks\r\nIn early May 2016, both PROMETHIUM and NEODYMIUM started conducting attack campaigns against\r\nspecific individuals in Europe. They both used an exploit for CVE-2016-4117, a vulnerability in Adobe Flash\r\nPlayer that, at the time, was both unknown and unpatched.\r\nPROMETHIUM distributed links through instant messengers, pointing recipients to malicious documents that\r\ninvoked the exploit code to launch Truvasys on victim computers. Meanwhile, NEODYMIUM used well-tailored\r\nspear-phishing emails with attachments that delivered the exploit code, ultimately leading to Wingbird’s\r\ninstallation on victim computers.\r\nWhile the use of the same exploit code could be attributed to coincidence, the timing of the campaigns and the\r\ngeographic location of victims lend credence to the theory that the campaigns are somehow related.\r\nhttps://www.microsoft.com/security/blog/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/\r\nPage 1 of 3\n\nStopping exploits in Windows 10\r\nPROMETHIUM and NEODYMIUM both used a zero-day exploit that executed code to download a malicious\r\npayload. Protected view, a security feature introduced in Microsoft Office 2010, can prevent the malicious Flash\r\ncode from loading when the document is opened. Control Flow Guard, a security feature that is turned on by\r\ndefault in Windows 10 and Microsoft Office 365 64-bit, can stop attempts to exploit memory corruption\r\nvulnerabilities. In addition, Credential Guard, an optional feature introduced in Windows 10, can stop Wingbird’s\r\nuse of the system file, lsass.exe, to load a malicious DLL.\r\nDetecting suspicious behaviors with Windows Defender Advanced Threat\r\nProtection\r\nWindows Defender Advanced Threat Protection (Windows Defender ATP) is a new built-in service that ships\r\nnatively with Windows 10 and helps enterprises to detect, investigate and respond to advanced targeted attacks.\r\nWhen activated, it captures behavioral signals from endpoints and then uses cloud-based machine learning\r\nanalytics and threat intelligence to flag attack-related activities.\r\nWingbird, the advanced malware used by NEODYMIUM, has several behaviors that trigger alerts in Windows\r\nDefender ATP. Windows Defender ATP has multiple behavioral and machine learning detection rules that can\r\ncatch various elements of the malware kill chain. As a result, it can generically detect, without any signature, a\r\nNEODYMIUM attack in the following stages:\r\nZero-day exploits causing Microsoft Office to generate and execute malicious files\r\nZero-day exploits attempting to grant malicious executables higher privileges\r\nMalicious files trying to delete themselves\r\nMalicious files attempting the DLL side-loading technique, in which legitimate DLLs in non-standard\r\nfolders are replaced by malicious ones so that malicious files are loaded by the operating system or by\r\ninstalled applications\r\nMalicious files injecting code into legitimate processes\r\nIn the example below, Windows Defender ATP alerts administrators that something is amiss. It notifies them that\r\nan Office document has dropped an executable file in one of their computers—activity that is very likely part of\r\nan attack.\r\nhttps://www.microsoft.com/security/blog/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/\r\nPage 2 of 3\n\nAdditionally, Windows Defender ATP and Office 365 ATP leverage rules based on IOCs and threat intelligence\r\nspecific to PROMETHIUM and NEODYMIUM. Alerts from these rules work alongside concise briefs and in-depth profiles provided in the Windows Defender ATP console to help administrators address breach attempts by\r\nthese activity groups.\r\nFor more information about Windows Defender ATP service in Windows 10, check out its features and capabilities\r\nand read more about why a post-breach detection approach is a key component of any enterprise security stack.\r\nDetails about PROMETHIUM and NEODYMIUM along with indicators of compromise can be found in the\r\nMicrosoft Security Intelligence Report volume 21.\r\nTo test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced\r\nattacks, sign up for a free trial.\r\nWindows Defender ATP team\r\nTalk to us\r\nQuestions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows\r\nDefender Security Intelligence.\r\nFollow us on Twitter @WDSecurity.\r\nSource: https://www.microsoft.com/security/blog/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europ\r\ne/\r\nhttps://www.microsoft.com/security/blog/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.microsoft.com/security/blog/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" ], "report_names": [ "twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe" ], "threat_actors": [ { "id": "27485543-d2e7-4053-a660-157489732cbb", "created_at": "2022-10-25T16:07:23.895403Z", "updated_at": "2026-04-10T02:00:04.781765Z", "deleted_at": null, "main_name": "Neodymium", "aliases": [ "G0055" ], "source_name": "ETDA:Neodymium", "tools": [ "Wingbird" ], "source_id": "ETDA", "reports": null }, { "id": "67fbc7d7-ba8e-4258-b53c-9a5d755e1960", "created_at": "2022-10-25T16:07:24.077859Z", "updated_at": "2026-04-10T02:00:04.860725Z", "deleted_at": null, "main_name": "Promethium", "aliases": [ "APT-C-41", "G0056", "Magenta Dust", "Promethium", "StrongPity" ], "source_name": "ETDA:Promethium", "tools": [ "StrongPity", "StrongPity2", "StrongPity3", "Truvasys" ], "source_id": "ETDA", "reports": null }, { "id": "400a3efc-44a1-4d83-a724-cd16818328f9", "created_at": "2023-01-06T13:46:38.516115Z", "updated_at": "2026-04-10T02:00:03.008975Z", "deleted_at": null, "main_name": "NEODYMIUM", "aliases": [ "G0055" ], "source_name": "MISPGALAXY:NEODYMIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cbede712-4cc3-47c6-bf78-92fd9f1beac6", "created_at": "2022-10-25T15:50:23.777222Z", "updated_at": "2026-04-10T02:00:05.399303Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "PROMETHIUM", "StrongPity" ], "source_name": "MITRE:PROMETHIUM", "tools": [ "Truvasys", "StrongPity" ], "source_id": "MITRE", "reports": null }, { "id": "c11cbeb5-461f-4bd8-a86b-f57e471a664d", "created_at": "2022-10-25T15:50:23.257383Z", "updated_at": "2026-04-10T02:00:05.414047Z", "deleted_at": null, "main_name": "NEODYMIUM", "aliases": [ "NEODYMIUM" ], "source_name": "MITRE:NEODYMIUM", "tools": [ "Wingbird" ], "source_id": "MITRE", "reports": null }, { "id": "4660477f-333f-4a18-b49b-0b4d7c66d482", "created_at": "2023-01-06T13:46:38.511962Z", "updated_at": "2026-04-10T02:00:03.007466Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "StrongPity", "G0056" ], "source_name": "MISPGALAXY:PROMETHIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434205, "ts_updated_at": 1775826722, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/530c3f4fce717537631d434e5136f57562497388.pdf", "text": "https://archive.orkl.eu/530c3f4fce717537631d434e5136f57562497388.txt", "img": "https://archive.orkl.eu/530c3f4fce717537631d434e5136f57562497388.jpg" } }