{
	"id": "805113a9-3512-40c3-b442-abb621ddd8f6",
	"created_at": "2026-04-06T00:17:31.64118Z",
	"updated_at": "2026-04-10T03:29:28.464039Z",
	"deleted_at": null,
	"sha1_hash": "798d78e2274421bf0dc0f21f642d3f7dc56d71f2",
	"title": "StrongPity2 spyware replaces FinFisher in MitM campaign – ISP involved?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 154356,
	"plain_text": "StrongPity2 spyware replaces FinFisher in MitM campaign – ISP\r\ninvolved?\r\nBy Filip Kafka\r\nArchived: 2026-04-05 15:12:44 UTC\r\nESET Research\r\nAs we reported in September, in campaigns we detected in two different countries, man-in-the-middle attacks had\r\nbeen used to spread FinFisher, with the “man” in both cases most likely operating at the ISP level.\r\n08 Dec 2017  •  , 4 min. read\r\nContinuing our research into FinFisher – the infamous spyware known also as FinSpy and sold to governments\r\nand their agencies worldwide – we noticed that the FinFisher malware in our previously-documented campaign,\r\nwhich had strong indicators of internet service provider (ISP) involvement, had been replaced by different\r\nspyware. Detected by ESET as Win32/StrongPity2, this spyware notably resembles one that was attributed to the\r\ngroup called StrongPity. As well as detecting and blocking this threat, all ESET products – including the free\r\nESET Online Scanner – thoroughly clean systems compromised by StrongPity2.\r\nhttps://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/\r\nPage 1 of 5\n\nAs we reported in September, in campaigns we detected in two different countries, Man-in-the-Middle (MitM)\r\nattacks had been used to spread FinFisher, with the “man” in both cases most likely operating at the ISP level.\r\nAccording to our telemetry, those campaigns were terminated on 21 September 2017 – the very day we published\r\nour research.\r\nOn 8 October 2017, the same campaign resurfaced in one of those two countries, using the same (and very\r\nuncommon) structure of HTTP redirects to achieve “on-the-fly” browser redirection, only this time distributing\r\nWin32/StrongPity2 instead of FinFisher. We analyzed the new spyware and immediately noticed several\r\nsimilarities to malware allegedly operated by the StrongPity group in the past.\r\nThe first similarity is the attack scenario – users trying to download a software installation package were being\r\nredirected to a fake website serving a trojanized version of the expected installation package. The StrongPity\r\ngroup was observed performing such watering hole attacks in the summer of 2016, targeting mostly Italian and\r\nBelgian users of encryption software.\r\nDuring our research, we found several different software packages trojanized with Win32/StrongPity2:\r\nCCleaner v 5.34\r\nDriver Booster\r\nThe Opera Browser\r\nSkype\r\nThe VLC Media Player v2.2.6 (32bit)\r\nWinRAR 5.50\r\nSince the beginning of the campaign, our systems have recorded more than one hundred detections of this\r\nmalware.\r\nWe found a number of other similarities between StrongPity-operated malware, and the way in which\r\nWin32/StrongPity2 is implemented:\r\nSome parts of the code are exactly the same\r\nThe (not exactly common) structures of their configuration files share some notable similarities, as shown\r\nin Figure 1:\r\nhttps://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/\r\nPage 2 of 5\n\nFigure 1: Configuration file samples (top: StrongPity, bottom: StrongPity2)\r\nBoth use the same obfuscation algorithm (a very uncommon Byte ^= ((Byte \u0026 0xF0) \u003e\u003e 4)\r\nBoth use the same (quite old) libcurl version 7.45\r\nBoth exfiltrate files in the same way (the main payload handles exfiltration of files previously collected and\r\nsaved by a dedicated module)\r\nSpeaking of stealing data, Win32/StrongPity2 has several file types with the following extensions in its crosshairs:\r\n.ppt\r\n.pptx\r\n.xls\r\n.xlsx\r\n.txt\r\n.doc\r\n.docx\r\n.pdf\r\n.rtf\r\nWhile searching for these files, it avoids the following folders:\r\n%Windows%\r\n%Windows.old%\r\n%AppData%\r\n%Program Files%\r\n%Program Files (x86)%\r\n%ProgramData%\r\nIn addition to data exfiltration, Win32/StrongPity2 is able to download and execute virtually any other (malicious)\r\nsoftware of the attacker’s choice, with the privileges held by the compromised account.\r\nHow to check your system for compromise, how to clean it and how to stay\r\nprotected\r\nTo determine whether a system is infected with Win32/StrongPity2, the system can be scanned using the free\r\nESET Online Scanner. If Win32/StrongPity2 is detected this tool is able to remove it.\r\nIt is also possible to check the system manually by verifying the existence of the folder\r\n%temp%\\lang_be29c9f3-83we, which the malware creates to stores its components, with the file wmpsvn32.exe\r\nbeing the main one. Another easy-to-check indicator of compromise is the presence of Registry string value\r\nlocated in the path HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run, named Help Manager with the\r\nstring\r\n%temp%\\lang_be29c9f3-83we\\wmpsvn32.exe in its data field:\r\nhttps://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/\r\nPage 3 of 5\n\nFigure 2: Registry entry used by the malware to gain persistence\r\nManual clean-up of an infected system includes the following steps:\r\n1. Killing the main component’s process, wmpsvn32.exe\r\n2. Deleting the folder %temp%\\lang_be29c9f3-83we and all its contents\r\n3. Deleting the ‘Help Manager’ value in the above-mentioned Registry entry\r\nIt is important to note that for real-time, continuous protection we recommend using a reputable multi-layered\r\ninternet security suite.\r\nSpecial thanks to Ivan Besina for his help with the research for this article.\r\nIoCs\r\nHashes of analyzed samples:\r\n4ad3ecc01d3aa73b97f53e317e3441244cf60cbd\r\n8b33b11991e1e94b7a1b03d6fb20541c012be0e3\r\n49c2bcae30a537454ad0b9344b38a04a0465a0b5\r\ne17b5e71d26b2518871c73e8b1459e85fb922814\r\n76fc68607a608018277afa74ee09d5053623ff36\r\n87a38a8c357f549b695541d603de30073035043d\r\n9f2d9d2131eff6220abaf97e2acd1bbb5c66f4e0\r\nf8009ef802a28c2e21bce76b31094ed4a16e70d6\r\na0437a2c8c50b8748ca3344c38bc80279779add7\r\nhttps://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/\r\nPage 4 of 5\n\nDomain serving the software packages trojanized by Win32/StrongPity2\r\nhxxps://downloading.internetdownloading.co\r\nURLs used to exfiltrate stolen data\r\nhxxps://updserv-east-cdn3.com/s3s3sxhxTuDSrkBQb88wE99Q.php\r\nhxxps://updserv-east-cdn3.com/kU2QLsNB6TzexJv5vGdunVXT.php\r\nhxxps://updserv-east-cdn3.com/p55C3xhxTuD5rkBQbB8wE99Q.php\r\nFolder created by the malware to store its components\r\n%temp%\\lang_be29c9f3-83we\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/\r\nhttps://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/"
	],
	"report_names": [
		"strongpity-like-spyware-replaces-finfisher"
	],
	"threat_actors": [
		{
			"id": "67fbc7d7-ba8e-4258-b53c-9a5d755e1960",
			"created_at": "2022-10-25T16:07:24.077859Z",
			"updated_at": "2026-04-10T02:00:04.860725Z",
			"deleted_at": null,
			"main_name": "Promethium",
			"aliases": [
				"APT-C-41",
				"G0056",
				"Magenta Dust",
				"Promethium",
				"StrongPity"
			],
			"source_name": "ETDA:Promethium",
			"tools": [
				"StrongPity",
				"StrongPity2",
				"StrongPity3",
				"Truvasys"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "cbede712-4cc3-47c6-bf78-92fd9f1beac6",
			"created_at": "2022-10-25T15:50:23.777222Z",
			"updated_at": "2026-04-10T02:00:05.399303Z",
			"deleted_at": null,
			"main_name": "PROMETHIUM",
			"aliases": [
				"PROMETHIUM",
				"StrongPity"
			],
			"source_name": "MITRE:PROMETHIUM",
			"tools": [
				"Truvasys",
				"StrongPity"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "4660477f-333f-4a18-b49b-0b4d7c66d482",
			"created_at": "2023-01-06T13:46:38.511962Z",
			"updated_at": "2026-04-10T02:00:03.007466Z",
			"deleted_at": null,
			"main_name": "PROMETHIUM",
			"aliases": [
				"StrongPity",
				"G0056"
			],
			"source_name": "MISPGALAXY:PROMETHIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434651,
	"ts_updated_at": 1775791768,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/798d78e2274421bf0dc0f21f642d3f7dc56d71f2.pdf",
		"text": "https://archive.orkl.eu/798d78e2274421bf0dc0f21f642d3f7dc56d71f2.txt",
		"img": "https://archive.orkl.eu/798d78e2274421bf0dc0f21f642d3f7dc56d71f2.jpg"
	}
}