{ "id": "2e051cfa-d2f5-439f-97bc-b8b849d26103", "created_at": "2026-04-06T00:20:09.186172Z", "updated_at": "2026-04-10T03:35:44.24118Z", "deleted_at": null, "sha1_hash": "81a1a99502c5d845290493ea53ce70af0d98fc23", "title": "PROMETHIUM extends global reach with StrongPity3 APT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 991144, "plain_text": "PROMETHIUM extends global reach with StrongPity3 APT\r\nBy Vitor Ventura\r\nPublished: 2020-06-29 ยท Archived: 2026-04-05 16:27:54 UTC\r\nBy Warren Mercer, Paul Rascagneres and Vitor Ventura.\r\nNews summary\r\nThe threat actor behind StrongPity is not deterred despite being exposed multiple times over the past four\r\nyears.\r\nThey continue to expand their victimology and attack seemingly non related countries.\r\nThis kind of continuous improvement suggests there is a possibility that this is an exported solution for\r\nother actors to use.\r\nExecutive summary\r\nThe PROMETHIUM threat actor โ€” active since 2012 โ€” has been exposed multiple times over the past several\r\nyears.. However, this has not deterred this actor from continuing and expanding their activities. By matching\r\nindicators such as code similarity, command and control (C2) paths, toolkit structure and malicious behavior,\r\nCisco Talos identified around 30 new C2 domains. We assess that PROMETHIUM activity corresponds to five\r\npeaks of activity when clustered by the creation date month and year.\r\nWhat's new?\r\nTalos telemetry shows that PROMETHIUM is expanding its reach and attempts to infect new targets across\r\nseveral countries. The samples related to StrongPity3 targeted victims in Colombia, India, Canada and Vietnam.\r\nThe group has at least four new trojanized setup files we observed: Firefox (a browser), VPNpro (a VPN client),\r\nDriverPack (a pack of drivers) and 5kPlayer (a media player).\r\nHow did it work?\r\nTalos could not pinpoint the initial attack vector, however, the use of trojanized installation files to well-known\r\napplications is consistent with the previously documented campaigns. This leads us to believe that just like in the\r\npast, the initial vector may be either a watering hole attack or in-path request interception like mentioned in a\r\nCitizenLab report from 2018.\r\nThe trojanized setup will install the malware and the legitimate application, which is a good way to disguise its\r\nactivities. In some cases, it will reconfigure Windows Defender before dropping the malware to prevent detection.\r\nSo what?\r\nhttps://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html\r\nPage 1 of 17\n\nThis group mainly focuses on espionage, and these latest campaigns continue down the same path. The malware\r\nwill exfiltrate any Microsoft Office file it encounters on the system. Previous research even linked\r\nPROMETHIUM to state-sponsored threats. The fact that the group does not refrain from launching new\r\ncampaigns even after being exposed shows their resolve to accomplish their mission.\r\nPROMETHIUM has been resilient over the years. Its campaigns have been exposed several times, but that was\r\nnot enough to make the actors behind it to make them stop.\r\n2019-2020 Campaigns\r\nPotential infection vectors Despite the numbers of samples and the quantity of C2 servers, Cisco Talos did not\r\nidentify the infection vectors. We have no evidence that the websites of the real applications were compromised to\r\nhost the malicious installer. The infection vector does not seem to be related to a supply-chain attack, either.\r\nBased on the previous research from CitizenLab and the artifacts from the new campaigns, we estimate that the\r\ninfection vector could be the same as in 2018. When the targeted users tried to download a legitimate application\r\non the official website, the ISP performs an HTTP redirect. For more information about the methodology used in\r\nthe past, we recommend reading the paper from CitizenLab.\r\nNew victimology\r\nThe report from CitizenLab highlights the intervention of service providers during the initial attack vector\r\nimplying state support. It also refers to the change from FinSpy, a well-known malware developed by a lawful\r\ninterception company, to StrongPity2. At the time, they concluded that most of the victims were in Turkey and\r\nSyria.\r\nOur research indicates that the victims are now in many different regions of the world.\r\nCountries affected by StrongPity\r\nThe many different versions of the malware, coupled with the fact that the domains are hardcoded indicates that a\r\ntool such as a Builder is used to generate the binaries. We can conclude that the PROMETHIUM threat actor is\r\nhttps://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html\r\nPage 2 of 17\n\ninterested in new countries or the malicious framework developed by this threat actor is exported in more\r\ncountries than previously thought.\r\nTrojanized Firefox Installer\r\nOne interesting detail, which is aligned with CitizenLab's claim that Turkish people were the most targeted, is the\r\nTurkish language version of the Firefox Installer.\r\nC2 infrastructure\r\nTalos has identified at least three different campaigns since July 2019. We clustered the campaigns based on the\r\ndomain creation date.\r\nhttps://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html\r\nPage 3 of 17\n\nDomain clusters\r\nThe fact we clustered these into different campaigns does not mean that they have been conducted sequentially. In\r\nfact, our analysis of each domain showed that these are overlapping campaigns โ€” some of them going back to\r\n2018.\r\nhttps://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html\r\nPage 4 of 17\n\nhttps://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html\r\nPage 5 of 17\n\nDomain activity timeline\r\nSome of these domains may already be sinkholed, thus posing no threat. However, the fact that the number of hits\r\nis still high shows that the infection vectors are still active. It is interesting to note that this threat actor uses\r\nHTTPS on the C2. They always use self-signed certificates.\r\nMain differences between StrongPity2 and StrongPity3\r\nStrongPity3 is the evolution of StrongPity2, with a few differences. The latter does not use libcurl anymore and\r\nnow uses winhttp to perform all requests to C2. The usage of the\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run registry key has a persistence mechanism that has been\r\nreplaced by the creation of a service. This service changes its name from package to package. The service\r\nexecutable's only job is to launch the C2 contact module upon service startup. The remaining malware flow is the\r\nsame on both versions.\r\nThe dropped files are now stored in a folder located in C:\\DOCUME~1\\\u003cUSER\u003e~1\\LOCALS~1\\Temp\\ always\r\nfollowing the same pattern similar to the following: 4CA-B25C11-A27BC. The C2 path pattern has also changed,\r\nwe have identified the following paths: ini.php, info.php and parse_ini_file.php, which are no longer random nor\r\nanimal named based.\r\nMalware\r\nTrojanized applications We found four different trojaned binaries in use since July 2019. The 5kplayer, driver pack\r\nand Firefox trojanized software use a service to achieve persistence. The VPNpro trojanized application uses an\r\nAutoRun registry key, as mentioned in the publication released before July 2019.\r\nhttps://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html\r\nPage 6 of 17\n\nAnti-virus checks on Firefox trojanized installer\r\nBefore writing the toolkit into the hard drive, the fake Firefox installer executes a PowerShell command that will\r\nadd the directories used by the malware to the Windows Defender exclusions list and prevent sample submission\r\nat the same time. After that, it will check if ESET or BitDefender antivirus are installed before dropping the\r\nmalware. If they are installed, nothing will be dropped.\r\nWe'll now break down the 5kplayer trojanized installer. The setup deploys three files which are part of the toolset:\r\nrmaserv.exe, winprint32.exe and mssqldbserv.xml.\r\nhttps://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html\r\nPage 7 of 17\n\nExecution flow\r\nAs the execution flow shows, the setup will only execute rmaserv.exe. The remaining modules are executed by\r\nrmaserv.exe when this executable will be executed as a service.\r\nThe malicious service: rmaserv.exe\r\nThis binary has two main features. If it is executed with the \"help\" parameter, it will install a service to execute\r\nitself as a service. This parameter is used by the trojanized installer. Here is the code to perform this task:\r\nhttps://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html\r\nPage 8 of 17\n\nrmaserv.exe entry function\r\nThis follows the design pattern described in the Microsoft Windows documentation, which can be found here.\r\nThis has a notable side effect: if rmaserv.exe is executed isolated on a sandbox (so without the parameter), the\r\nservice is not created. Consequently, the execution won't do anything and the dynamic analysis will be skewed.\r\nThe second main feature is the service. This service has two features. First, it will launch the winprint32.exe\r\nexecutable (C2 contact module) and then it will wait for an event. This event is the mechanism used by the C2\r\ncontact module to alert the service executable to perform the cleaning of all components.\r\nC2 contact module: winprint32.exe\r\nRegularly, the service checks if a user is logged, by checking if Explorer is running. Once explorer.exe is running,\r\nthe service configures the environment and executes the C2 contact module: winprint32.exe.\r\nThis module is responsible for launching the document search module, contact the C2 and exfiltrate the collected\r\ndocuments. It will create a mutex with the name \"YeucqCcpgapiZISEdRSNiL\". Afterward, it will launch two\r\nprocesses:\r\nC:\\DOCUME~1\\\u003cUSER\u003e~1\\LOCALS~1\\Temp\\4CA-B25C11-A27BC\\mssqldbserv.xml\r\nC:\\DOCUME~1\\\u003cUSER\u003e~1\\LOCALS~1\\Temp\\4CA-B25C11-A27BC\\wintasks.xml\r\nhttps://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html\r\nPage 9 of 17\n\nMutex creation\r\nThen, it will start an infinite loop. The first step inside the loop is to contact the C2 over HTTPS. On the first\r\ncontact, it will send an identification of the victim based on the hard disk volume serial number.\r\nContact C2 loop\r\nAfter a 6,050- milliseconds delay, it will search for \"sft\" files (the encoded archive containing the documents to be\r\nexfiltrated), which will then be exfiltrated to the C2.\r\nAfterward, it will sleep for another 6,050 milliseconds before restarting. This module can be executed\r\nindependently of the rest of the toolkit. Talos didn't identify any kind of anti-sandboxing mechanisms on it, either.\r\nDocument search module: Mssqldbserv.xml\r\nThis module has been described before in the article here. The purpose of this tool is to parse the hard drive for\r\nfiles with a specific extension and create an archive with these files. Finally, the archive is encoded before being\r\nsent to the C2.\r\nhttps://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html\r\nPage 10 of 17\n\nmssqldbserv.xml main function\r\nHowever, there are some interesting details we decided to share. Clearly, this was not originally designed to be\r\nexecuted in the background. The first instructions in the main function hide the console window from the user.\r\nAfterward, the module will delete old \"sft\" files assuming they were already exfiltrated. After a pause of 6,500\r\nmilliseconds, it will start its search for the targeted files.\r\nSFT file creation routine\r\nUsing the working directory as a base path, which in this sample case is C:\\DOCUME~1\\\r\n\u003cUSER\u003e~1\\LOCALS~1\\Temp\\4CA-B25C11-A27BC\\, each selected file will be compressed into the file kr.zp.\r\nThe kr.zp data is then read and encoded using the same unusual encoded scheme.\r\nbyte = byte XOR (byte \u003e\u003e 4)\r\nIf the file is larger than 2048*53 bytes (~ 106kb) it is split into chunks and saved into the sft files according to the\r\nnaming convention below.\r\ngui_app0_[VolumeSerialNumber]_[MonthDayHourMinuteSecondMilliseconds]_[Counter].sft\r\nSince this module does not have a loop, it will only be executed at the communications module startup, which\r\nmeans that it is only executed once per service start.\r\nhttps://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html\r\nPage 11 of 17\n\nMysterious Wintask.xml\r\nOur initial analysis in a sandbox showed that the C2 contact module attempts to execute this file, searching for it\r\nin the same path as the document search module, which we further corroborated with manual analysis. However,\r\nwe couldn't obtain this file. All files in the toolkit are dropped by the trojanized software and it's clear that the C2\r\ncontact module expects this file to exist (the specific name changes form dropper to dropper). None of the\r\ntrojanized software we analyzed dropped this file, manual analysis showed that there were no checks to decide\r\nwhether to drop it. One possibility is that these are remains of old code that was abandoned in the meantime.\r\nConclusion\r\nThe PROMETHIUM threat actor is dedicated and resilient, exposing them hasn't refrained them from moving\r\nforward with their agenda. After first being documented, they changed their toolkit but not their techniques or\r\nprocedures. Since then, their toolkit has been the same, with just enough updates to keep their activities as\r\nefficient as possible. During this period, the victimology has expanded behind their initial focus in Europe and\r\nMiddle East to a global operation targeting organizations on most continents.\r\nThese characteristics can be interpreted as signs that this threat actor could in fact be part of an enterprise service\r\nfor hire operation. We believe this has hallmarks a professionally packaged solution due to the similarity of each\r\npiece of malware being extremely similar but used across different targets with minor changes.\r\nAdditionally, as explained by Citizen Lab, we saw in the past a lawful Interception tool was used instead of\r\nStrongPity. This usage could corroborate our theory.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html\r\nPage 12 of 17\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors. Exploit Prevention present within AMP is designed to protect customers from unknown attacks such\r\nas this automatically.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), Cisco ISR, and Meraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOCs\r\nHashes\r\n5cb8f86e03a544531d972e132c81d6785b66dd1b15b6c35a0a04fd83a8bed695\r\nea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372\r\nfad11a279c6fe195f8110702f962c5296015344da17919b361f73f7f504063ca\r\nf8c953a9b737c5fe69ab9cfb5b20d576f15396a40de10ea6c3216042a97132f4\r\nbdbc514e274d70e260620d9b7dcfc3ee4cf4eb321474dfbd1eb81d2f17cebc23\r\n3ce08ada9cf964789ce70fd2637ded197ac5b154e0b71e9cdb4d99de7ab52267\r\nb75fbe3b21d83e2000928349d1610f292e1a4c072fd0454309fe1c6c7d85ff46\r\nbac8489de573f614d988097e9eae53ffc2eb4e7dcb0e68c349f549a26d2130a8\r\n835a545fe93bfa75931079ef36169bfc56906f74b9b9862848ff79534b33f416\r\n55e83292bd9a1f843639bfb98648a40b931a9829d62e6b23904034c417ffa430\r\ne2cd8fd988a9a08f4bd73d7343ae54e68ee2a0a4728277792115edc86900e899\r\n3feb6ecbc3b5f4ef64cf974fc117e58ac750188c483c488dd5b5970263bfdb0e\r\ndd40b8ddb5a5795536a65cc0ab6dcc84862d4e14965cde6b4e9ad2b89a0e3905\r\n02d68d2a9b62d1fd79c80e7c01182d18966a8fccc07d997b0f4c3ef71e87910f\r\nf1a3c2bd241e09f4e98ca15c0d3d804297086c84883d81bb8b74960c6e986555\r\n5b5b0a0ff8e5bdf11657e0134a638a818e31af9517e5feffea247eaa2660ee23\r\ne4135bfeda1de00c3834f7782b77fdb2811f5d07fc60f643553426d9e45b664c\r\n80ad6598f6e0b7c2b7258cbb69aa782dbcac308ca3d9d451b9bb5290b943a58f\r\ne80034618538abc1c86a7021ab869c4ce63429d35adbaf8c07ce25f297a61bd2\r\n5190c4fbddb2bfd08ce4a11714ec54dcaf57978f6193720c5b2c7127ef2c5f1f\r\n783b3c61a4069f0325f3560ab9664ff5fb381f37b08a3d4eb4866ba6bc194135\r\nhttps://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html\r\nPage 13 of 17\n\n3e58d7efc5e03bd06f227041e5c73f4ecfa5e35ca8419a9ff8b8571eafd34e48\r\n4282ac2c4b38f2fa79b3f77f9af80053befb69634f8e93d9e1941a600ae08857\r\n17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4\r\n2c3b3c085b3992ab105bbc4696391f4f81374c54bb8966e53d2b2de8b7648681\r\n2b62a469fa9737dabc52840a741a7d71c86c74bd6909c30cb481e2d66e0df75e\r\nd0ee66f8be0ed721774391365604de70dda4751213a667812e4c4a661f71559d\r\nc790e1916a475fbc18e7f239acf0d9399234cf2160529ba25ab44179674d549a\r\ndbd6393bf96518218b4f4522aef4ffa27e517cbce7252841b86031354aec031a\r\n24e8f4917bb3cf7d6fd91fc1c95e978ea75a0e6da9033911e48b0fda94be62af\r\na6298a1b8c9844764c731327bb1daa7abd50cd85b9f5556e38bd5c88b8184cc4\r\nd8d0c3854c54e2bacb40ead54d94268dda6ea6aef1ac1f78b8d10b990a4441a2\r\ndbf3e5bb9b7b5806d831617fbeed088d56fc2f5794a833d24eff96c165ba417b\r\nb1413688f6452b07129e5182311c7efd628bb795613c23fc58c4202e38dda4e7\r\nb4548a933d5a59d096d75ad4c6aec1046017a62ca2a1d59edd2d97d760dca1eb\r\nbb4628f0b29d906f1ec4c41a5fe5f7fe1b53432b765d5ef0a560e8d2ef5e5541\r\nfa68aa01fad37dd7e7d6222ef833ec4e63317c0821a45834dfe284fdafb9069a\r\n89f1a82f4919db731cc4a5c5a71fbe1a9a1d362b6da61b018c89ea2cd26c0de3\r\n9ce65cced9949cef6b69f86542533e653b91ce7d43cb6b51e8ae402b6dadf651\r\nff8b71b7e9b320d272babb15324b7417f182313f71c4af0b9961424a12154b66\r\nfa71584f27f5eacca9f3d5644fd06ccebcc14b8394efeaccd38259f8382c26e5\r\n6d4af9f7e14e1ae7f871cd0bcdd87927cde8d236fd9d37e76554729abe3e31e4\r\n418203a531ceb1f08a21b354bc0d3bf8f157c76b521495c29639d7bffa416b38\r\n61f8dc6d618572a86bd0b646d16186bb6b0fff970947a7df754add4f65ec8625\r\n1af0958f8590b626bedfcd1972cd3ea49d9576db86f1e768e5520f9615d01a19\r\nc936e01333e3260547a8c319d9cfc1811ba5793e182d0688db679ec2b30644c5\r\ne843af007ac3f58e26d5427e537cdbddf33d118c79dfed831eee1ffcce474569\r\n4ee465d58613c03c15c0e92728bba76a065149d4773a1ce59c76d414d70fb190\r\n65041a83c88ba90e489de8ac275688815c51b93ae568c627b74fc160d2db6bab\r\na1ce1b78cc1a9d6092b086f2d0796cde519033ec0935d9cecdea86b6cda87882\r\n40e99d0dfc27c66170ed57610a1c3cc9a0b6e87a0d544d739f828f10faf2758b\r\nfcfd34f99b0a5f4bb91c0d6eaa9b2fdcc3bf9b3dd594213a389a056828a537c1\r\nc2c333a5f46eb5894f05f3323ab8aea87b3c2e9ba0221c28dcf46b0842592ac6\r\n91e20fb663b1809279666fb1e7ef7bd8da42ae51e0c05b51515ba851e2a991ac\r\n4235f33576b503faacbafb1b612f5fdf91fb406e73964f61064f232bd2b9c21c\r\nf1a3c2bd241e09f4e98ca15c0d3d804297086c84883d81bb8b74960c6e986555\r\n1af0958f8590b626bedfcd1972cd3ea49d9576db86f1e768e5520f9615d01a19\r\ne26a76def39740596843a57c3edcfe9f5000af5f5b538215a5799db58f41fe33\r\n91e20fb663b1809279666fb1e7ef7bd8da42ae51e0c05b51515ba851e2a991ac\r\nc2c333a5f46eb5894f05f3323ab8aea87b3c2e9ba0221c28dcf46b0842592ac6\r\n40e99d0dfc27c66170ed57610a1c3cc9a0b6e87a0d544d739f828f10faf2758b\r\nfcfd34f99b0a5f4bb91c0d6eaa9b2fdcc3bf9b3dd594213a389a056828a537c1\r\n84942df440c892c1e63aff41d9fe4694ea4b8a9102c62faf07c4510671abef13\r\nhttps://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html\r\nPage 14 of 17\n\ne80034618538abc1c86a7021ab869c4ce63429d35adbaf8c07ce25f297a61bd2\r\nd0ee66f8be0ed721774391365604de70dda4751213a667812e4c4a661f71559d\r\ndbd6393bf96518218b4f4522aef4ffa27e517cbce7252841b86031354aec031a\r\n2c3b3c085b3992ab105bbc4696391f4f81374c54bb8966e53d2b2de8b7648681\r\ndbf3e5bb9b7b5806d831617fbeed088d56fc2f5794a833d24eff96c165ba417b\r\ne4135bfeda1de00c3834f7782b77fdb2811f5d07fc60f643553426d9e45b664c\r\nb1413688f6452b07129e5182311c7efd628bb795613c23fc58c4202e38dda4e7\r\n2b62a469fa9737dabc52840a741a7d71c86c74bd6909c30cb481e2d66e0df75e\r\nc790e1916a475fbc18e7f239acf0d9399234cf2160529ba25ab44179674d549a\r\n4282ac2c4b38f2fa79b3f77f9af80053befb69634f8e93d9e1941a600ae08857\r\n5190c4fbddb2bfd08ce4a11714ec54dcaf57978f6193720c5b2c7127ef2c5f1f\r\nd8d0c3854c54e2bacb40ead54d94268dda6ea6aef1ac1f78b8d10b990a4441a2\r\n80ad6598f6e0b7c2b7258cbb69aa782dbcac308ca3d9d451b9bb5290b943a58f\r\ne4c55a5b1c07d93b2ae956f7404279c1a68344e7d27e6a3aa917c79c17f7fa05\r\n89f1a82f4919db731cc4a5c5a71fbe1a9a1d362b6da61b018c89ea2cd26c0de3\r\nb4548a933d5a59d096d75ad4c6aec1046017a62ca2a1d59edd2d97d760dca1eb\r\nbb4628f0b29d906f1ec4c41a5fe5f7fe1b53432b765d5ef0a560e8d2ef5e5541\r\n3e58d7efc5e03bd06f227041e5c73f4ecfa5e35ca8419a9ff8b8571eafd34e48\r\nc72bf8537fc189b81855666d7f59ad8e24011c735921a15932275757a485e7a4\r\nfbd66a4f385e8c573c51c19a49c7e9c2ffa1639f4648721591b7ea0af845a313\r\n12e670dc36ac50e86a58f759fa4a5de25e574227a19e1942aaa788c82540a910\r\na6298a1b8c9844764c731327bb1daa7abd50cd85b9f5556e38bd5c88b8184cc4\r\ne843af007ac3f58e26d5427e537cdbddf33d118c79dfed831eee1ffcce474569\r\n783b3c61a4069f0325f3560ab9664ff5fb381f37b08a3d4eb4866ba6bc194135\r\n5b5b0a0ff8e5bdf11657e0134a638a818e31af9517e5feffea247eaa2660ee23\r\na1ce1b78cc1a9d6092b086f2d0796cde519033ec0935d9cecdea86b6cda87882\r\n24e8f4917bb3cf7d6fd91fc1c95e978ea75a0e6da9033911e48b0fda94be62af\r\ndd812ba2bc5f441d8a9594443040f8fea7e3f91bdf1dd1968bbbbc7747e0bc68\r\n4ee465d58613c03c15c0e92728bba76a065149d4773a1ce59c76d414d70fb190\r\nb75fbe3b21d83e2000928349d1610f292e1a4c072fd0454309fe1c6c7d85ff46\r\n3ce08ada9cf964789ce70fd2637ded197ac5b154e0b71e9cdb4d99de7ab52267\r\nbdbc514e274d70e260620d9b7dcfc3ee4cf4eb321474dfbd1eb81d2f17cebc23\r\n2ee74ceaa5964cf223aefb3cf4e0c25ea96c7d4bc0eba48439716e763d2f3837\r\nbac8489de573f614d988097e9eae53ffc2eb4e7dcb0e68c349f549a26d2130a8\r\n18c6224decd141a6412f3d2aa71dbd086e9a71bd51b3baed1cb2b2715d676872\r\n02d68d2a9b62d1fd79c80e7c01182d18966a8fccc07d997b0f4c3ef71e87910f\r\n3feb6ecbc3b5f4ef64cf974fc117e58ac750188c483c488dd5b5970263bfdb0e\r\n2ab2a6e863538b162b0c7b4287b3e9f65116a9ad9efce6ebb9018c69bbf71460\r\n3a96f09255af4eb1d3fe3ea6dd4befc71543ef317b1d9f9561255a725eb48a62\r\ndd40b8ddb5a5795536a65cc0ab6dcc84862d4e14965cde6b4e9ad2b89a0e3905\r\nc1787de8b5a293197582000d8b94095d8377a5d42aa0b4940a7039cbf4df4b72\r\na83a882fbe094f4d00a8dc589869adc8a1432a966295fa0c46c2afcced3aac1f\r\nhttps://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html\r\nPage 15 of 17\n\n55e83292bd9a1f843639bfb98648a40b931a9829d62e6b23904034c417ffa430\r\n11849a6fcb76267676532422db4e9bf4f5c8c525fea0d950f844736bedb8b53e\r\nfad11a279c6fe195f8110702f962c5296015344da17919b361f73f7f504063ca\r\n7ae0aa490bad2fa152cd097caaaebfcef7a393a74e886a02b22109b38a4d9fc4\r\nd912445a5e8beda7e842756fd6e598d91ef0526c913a6f1e6135957f19fa64ca\r\nc94e52455826c63a8800e6a66d72db467e1266f3b06aabbaad14c0d7463ee266\r\n55b0bc3b61ee76561ffaa1323fd20a9522e786bfa5eadbba621582ad529ff9e1\r\n2a7898573bd8be121eda249e7521efd2d599354d51fabae7edafef9d60dae8b1\r\n6f0b9fdc7edf43a9d1262263320e623a7e2b349f54185491262fe5184413222f\r\n44ba0bfe401a07f4570fd3ca26f5955350ac831a21326face55465f8d9a7ec52\r\n7c195b85528b3ed75672fbcea0d32a2f45d541cf8c71e855b03d6266a8facdc0\r\ne8e2f7538530b6ea3f4726b13bf76c4e0696cdaf1a0547294b447c21df1c594d\r\n8e3993583cd2506ccbac4b247949ddee7d6971432576a0f9c485f9f0942054ae\r\n586fc08567a69f4abbafd05c98be469dfaaa9b93eaccc5043dcf22d2b666bf63\r\nd40a3503a960663187a83f560e94563cd11606a610a4b176b0ac065af037f175\r\nd77901484e91445d8d11b82ff487b9e56b48930fe3086e5858ea754e9f490c1f\r\nf694f02ee26d544ad41f543ecd166bd71d02b3723b8a5ee515a9c2944a667971\r\n6424307ea25f1889e4b9fb8a64d860e42681cddf71a5a70af7963ab282225c8d\r\ned2aa3272db6eebedcabbb3c61cb699e6ec5d91b4297b8a6186a03f5b4999a80\r\n154f3f4338184bc113dc874de6270a025d6d9c3d2a989f2b32d7d90fa222e0c9\r\n2ed2553ec6efdf24266be1eb812ab1978ec926d1b8bf281a547be2e43173eeee\r\nb06ab1f3abf8262f32c3deab9d344d241e4203235043fe996cb499ed2fdf17c4\r\n39cf2459a85f9b8bcc81233964e05dec3f5ec9e8de74329f995c6a0cc8a8db36\r\n3165650b667f315eae56895ee2041ffb17f89a92b034efd045f5e88bf788016d\r\n5cb8f86e03a544531d972e132c81d6785b66dd1b15b6c35a0a04fd83a8bed695\r\ncac5c0da0b4495a1dee326e4259fb8bcdecb162a780d0d215ad33e751ebbff34\r\nea750383d3af605e5cdf2647b9cd30886aa8a428b3bcf6bc96cc178c9afa78d9\r\n8e670fc7e22d0fa3eb96262686bd7eec18f81e3dc1eb9b55526078ffd9ae00c3\r\n03c314990a8d262530f114092c85fd9ddcbd8c423f8bd769864809d1af2f5fad\r\nd63533bb200525a0a88a68c592c8d4f534fcf83b0acf8ec6be24b7059b0352ae\r\n68f5819687e8f410dea315f32cd04e33ca7c3ec62e9bb9bae9e03b5ded29970e\r\n6684c2348d205962d41977b2db6263733809b635cdc039447373c34e04d6bc20\r\n64a448ee194fe58c8c212faa4fbe737f8088ef387cc4551a0f1d86e9d4bdab02\r\n211aae5346741680cb921d73e2833368cd0f0cc36e15b16115599554dcb2386d\r\na4377256776becf75f0f61874cfec3729e17e894f5c9fc1576321f0398142878\r\nb1916e7de11e87fa45c222d0532955e781f6695ae0ee15775894d3b3aa72ba98\r\nff8b71b7e9b320d272babb15324b7417f182313f71c4af0b9961424a12154b66\r\n17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4\r\nfa68aa01fad37dd7e7d6222ef833ec4e63317c0821a45834dfe284fdafb9069a\r\nf8c953a9b737c5fe69ab9cfb5b20d576f15396a40de10ea6c3216042a97132f4\r\nc59544a76fd425b76d7d9b4805d817c8a91a6a63c9862200c927e27efcd20bfa\r\nhttps://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html\r\nPage 16 of 17\n\nDomain\r\nupd-ncx4-server[.]com\r\nupd3-srv-system-app[.]com\r\nsyse-update-app4[.]com\r\nupd32-secure-serv4[.]com\r\nsystem2-cdn5-mx8[.]com\r\nsecure-upd21-app2[.]com\r\nms21-app3-upload[.]com\r\napt5-secure3-state[.]com\r\nupd8-sys2-apt[.]com\r\nupdate5-sec3-system[.]com\r\nstate-awe3-apt[.]com\r\napp-system2-update[.]com\r\nawe232-service-app[.]com\r\nms6-upload-serv3[.]com\r\nupdt-servc-app2[.]com\r\ncdn2-system3-secrv.[]com\r\nfile3-netwk-system[.]com\r\nservice-net2-file[.]com\r\nsystem2-access-sec43[.]com\r\nms-sys-security[.]com\r\nmailtransfersagents[.]com\r\nhostoperationsystems[.]com\r\ninhousesoftwaredevelopment[.]com\r\nmentiononecommon[.]com\r\nsafecopydisk[.]com\r\nfileservingpro[.]com\r\nnetwork-msx-system33[.]com\r\nmx3-rewc-state[.]com\r\nSource: https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html\r\nhttps://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "references": [ "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html" ], "report_names": [ "promethium-extends-with-strongpity3.html" ], "threat_actors": [ { "id": "67fbc7d7-ba8e-4258-b53c-9a5d755e1960", "created_at": "2022-10-25T16:07:24.077859Z", "updated_at": "2026-04-10T02:00:04.860725Z", "deleted_at": null, "main_name": "Promethium", "aliases": [ "APT-C-41", "G0056", "Magenta Dust", "Promethium", "StrongPity" ], "source_name": "ETDA:Promethium", "tools": [ "StrongPity", "StrongPity2", "StrongPity3", "Truvasys" ], "source_id": "ETDA", "reports": null }, { "id": "cbede712-4cc3-47c6-bf78-92fd9f1beac6", "created_at": "2022-10-25T15:50:23.777222Z", "updated_at": "2026-04-10T02:00:05.399303Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "PROMETHIUM", "StrongPity" ], "source_name": "MITRE:PROMETHIUM", "tools": [ "Truvasys", "StrongPity" ], "source_id": "MITRE", "reports": null }, { "id": "13bedce4-3115-4563-afd5-068e3930e68e", "created_at": "2023-01-06T13:46:38.623775Z", "updated_at": "2026-04-10T02:00:03.042652Z", "deleted_at": null, "main_name": "APT5", "aliases": [ "KEYHOLE PANDA", "BRONZE FLEETWOOD", "TEMP.Bottle", "Mulberry Typhoon", "Poisoned Flight" ], "source_name": "MISPGALAXY:APT5", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4660477f-333f-4a18-b49b-0b4d7c66d482", "created_at": "2023-01-06T13:46:38.511962Z", "updated_at": "2026-04-10T02:00:03.007466Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "StrongPity", "G0056" ], "source_name": "MISPGALAXY:PROMETHIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6d69ef1b-b6f3-47e1-be5a-87ac0fd5ff55", "created_at": "2024-04-24T02:00:49.599348Z", "updated_at": "2026-04-10T02:00:05.303948Z", "deleted_at": null, "main_name": "APT5", "aliases": [ "APT5", "Mulberry Typhoon", "BRONZE FLEETWOOD", "Keyhole Panda", "UNC2630" ], "source_name": "MITRE:APT5", "tools": [ "Tasklist", "PoisonIvy", "RAPIDPULSE", "PcShare", "Mimikatz", "SLOWPULSE", "SLIGHTPULSE", "Skeleton Key", "gh0st RAT", "PULSECHECK", "netstat" ], "source_id": "MITRE", "reports": null }, { "id": "47a8f6c7-5b29-4892-8f47-1d46be71714f", "created_at": "2025-08-07T02:03:24.599925Z", "updated_at": "2026-04-10T02:00:03.720795Z", "deleted_at": null, "main_name": "BRONZE FLEETWOOD", "aliases": [ "APT5 ", "DPD ", "Keyhole Panda ", "Mulberry Typhoon ", "Poisoned Flight ", "TG-2754 " ], "source_name": "Secureworks:BRONZE FLEETWOOD", "tools": [ "Binanen", "Comfoo", "Gh0st RAT", "Isastart", "Leouncia", "Marade", "OrcaRAT", "PCShare", "Protux", "Skeleton Key", "SlyPidgin", "VinSelf" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434809, "ts_updated_at": 1775792144, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/81a1a99502c5d845290493ea53ce70af0d98fc23.pdf", "text": "https://archive.orkl.eu/81a1a99502c5d845290493ea53ce70af0d98fc23.txt", "img": "https://archive.orkl.eu/81a1a99502c5d845290493ea53ce70af0d98fc23.jpg" } }