{ "id": "cdc71e57-3acd-42da-8f6a-dcae886e991b", "created_at": "2026-04-06T00:18:39.475483Z", "updated_at": "2026-04-10T13:12:22.400549Z", "deleted_at": null, "sha1_hash": "c57dcbab6f12e1a72a7a9f70ffa1457017b407f9", "title": "Recover your files with StrongPity", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3757963, "plain_text": "Recover your files with StrongPity\r\nBy RJM\r\nPublished: 2022-02-12 · Archived: 2026-04-05 16:58:56 UTC\r\nDisclaimer: The views, methods, and opinions expressed at Anchored Narratives are those of the author and do\r\nnot necessarily reflect the official policy or position of my employer.\r\nCover: StrongPity APT Actor hides the backdoor in legitimate “recovery” software.\r\nFirst, a warm welcome to the new subscribers of the Anchored Narratives mailing list. For the ones who are new\r\nto the list, I regularly pick an exciting tweet that matched my intelligence requirements and generated anchored\r\nstories on geopolitical (cyber) threats, digital forensics, and crime from that. Usually, I pick a story that I have no\r\nreal in-depth or prior knowledge about. The goal is to understand a particular topic better, improve my\r\ninvestigation or writing skills, and generate a reliable story anchored with evidence. This time the story will start\r\nwith a tweet that matched my intelligence requirements on 15 March 2021:\r\n\"#apt #strongpity new sample hunted md5:95ff679f525c44e4abac8e61f8052ca5 c2:transferprotocolpolicy.com\"\r\nThe information in the tweet tells people with interest in this field that someone found a malicious malware\r\nsample with a unique value “95ff679f525c44e4abac8e61f8052ca5” from an Advanced Persistent Threat actor\r\ngroup called StrongPity. APT is an industry name for referring to states involved in cyber operations. The referred\r\nmalware sample communicates to its command and control server “transferprotocolpolicy.com” (c2) for further\r\ninstructions. This tweet triggered some personal interest to start a deep dive into this nation-state actor group.\r\nhttps://anchorednarratives.substack.com/p/recover-your-files-with-strongpity\r\nPage 1 of 11\n\nThey have been around for many years, deploy interesting tactics at scale, and are observed in geopolitical\r\ndisputes. This article will outline the background of this alleged Turkish nation-state actor or nation-state-sponsored group. Furthermore, the malicious backdoor will be reversed briefly and based on that intelligence to\r\nhunt for additional indicators, and finally, the article will end with some observations and a conclusion. Let’s go.\r\nThe StrongPity actor group has been around since 2012 and employs the same tactics, namely adding backdoors\r\nto legitimate software used by specific users. Some call this technique water holing. The group is also referred to\r\nas APT-C-41 and PROMETHIUM. In 2016 StrongPity was detected by Kaspersky in a campaign that targeted\r\nspecific users in Belgium and Italy who were interested in Truecrypt and Winrar software. The software packages\r\nare used by niche user groups interested in solid encryption. The actor group set up a domain name that mimicked\r\nthe official WinRAR distribution site and placed links to the trojanized WinRAR installer on a certified distributor\r\nwebsite. In the same year, Microsoft observed a campaign by the same group targeting specific users with a zero-day vulnerability in Adobe Flash. The zero-day exploit was tracked as CVE-2016-4117. In 2017 ESET published\r\nresearch where they detected StrongPity while tracking the FinFisher group and an Internet Service Provider's\r\ninvolvement. Their analysis revealed that users were redirected to trojanized software packages. Some of the\r\ntargeted software were the following software packages.\r\nCCleaner v 5.34\r\nDriver Booster\r\nThe Opera Browser\r\nSkype\r\nThe VLC Media Player v2.2.6 (32bit)\r\nWinRAR 5.50\r\nIn their research, ESET states that an exfiltration component in the StrongPity backdoor collects files with the\r\nfollowing extensions:\r\n.ppt,.pptx,.xls,.xlsx,.txt,.doc,.docx,.pdf,.rtf\r\nThe stolen files are sent to a central server operated by the StrongPity actor, and the backdoor waits for further\r\ninstructions.\r\nBy 2018 Citizenlab found several so-called deep packet inspection devices in Türk Telekom's network where users\r\nwere redirected to download trojanized installers Avast Antivirus, CCleaner, Opera, and 7-Zip. The surveillance\r\nwas set up so that users who searched for official downloads on the authorized vendor websites were silently\r\nredirected to the trojanized versions of Avast, CCleaner etcetera. Citizenlab referred to the malware as StrongPity,\r\nwhich was used after they stopped using FinFisher spyware. FinFisher was sold to governments as a lawful\r\ninterception capability. Citizenlab also described that these injection techniques were also observed by other\r\nnation-states, China (Great Cannon) and the US (NSA’s QUANTUM).\r\nIn June 2020, Bitdefender published research where StrongPity employed similar tactics to infect victims in\r\nTurkey and Syria selectively. According to Bitdefender, the group was specifically interested in the Kurdish\r\nhttps://anchorednarratives.substack.com/p/recover-your-files-with-strongpity\r\nPage 2 of 11\n\ncommunity giving it a geopolitical angle.\r\nFigure 1: Figure adopted from the BitDefender report. Victims were concentrated in the area of\r\nTurkey and Syria.\r\nIn their investigation, Bitdefender found trojanized versions of the following software:\r\n7-ZIP\r\nWinRAR\r\nMcAfee Security Scan Plus\r\nFile recovery application - Recuva\r\nTeamViewer\r\nWhatsApp\r\nCCleaner\r\nCleverFiles Disk Drill\r\nDAEMON Tools Lite\r\nThey also found a particular tag used as authentication and is influenced by the file's compilation time. These tags\r\ncould look like something like “v11_kt26“ for example. To me, these tags resemble campaign identifiers used by\r\nactors to distinguish between different targets. The researchers from Bitdefender added a tremendous amount of\r\nStrongPity samples in their report indicating an extensive campaign.\r\nResearchers from Cyble released a report in December 2020 that the StrongPity actors expanded their global reach\r\nand included mass phishing e-mail campaigns. According to their research, victims were now widespread across\r\nEurope, Nothern Africa, Canada, and Asia. Cyble discovered that the victim was targeted through a trojanized\r\nhttps://anchorednarratives.substack.com/p/recover-your-files-with-strongpity\r\nPage 3 of 11\n\nversion of the Partition Find and Mount software utility. Their analysis refers to a screenshot (figure 6) that should\r\ndemonstrate the decryption routines and decrypted payloads in the process memory. Especially those screenshots\r\nare blurred and not readable. After that, they report that the malware creates a mutex1 with a particular name\r\n(figure 7) and then how the malware connects to a specific domain in a debugger (figure 8). It remains unclear\r\nhow the mutex's name is generated and where and how the command and control information is stored from their\r\nresearch. The claim of mass phishing attacks is not substantiated by e-mail samples in their report. Their released\r\nStrongPity indicators already contain the “transferprotocolpolicy[.]com” as a command and control server that\r\nmatched the starting tweet, which matched my intelligence requirements in March 2021.\r\nIn 2021 LMNTRIX released research into what they call “the Turkish APT group APT-C-41 (aka StrongPity and\r\nPromethium)”. They claim that the group targets Financial organizations, Industrial plants, and Educational\r\ninstitutes after installing a backdoor on its victims. Their research provides some screenshots of a disassembly tool\r\nin which they state that the malware has so-called anti-debugging functionality enabled (IsDebuggerPresent\r\ncheck).\r\nThey further state: “After bypassing these functions, we found the command and control domain embedded into\r\nthe code. The snapshot shows the communication happens to the malicious domain, which we highlighted below\r\n[mailtransfersagents(dot)com]:”\r\nThe malware samples referenced in their research are indeed StrongPity samples. Based on the screenshots\r\nLMNTRIX provided, I could not observe the command and control domain embedded in the provided snapshots.\r\nBoth reports of Cyble and LMNTRIX triggered me to dive into some reversing of the backdoor functionality to\r\ndetermine how the StrongPity backdoor stores its configuration, as this was not clear to me from their analysis.\r\nLet’s start with the sample that triggered my intelligence requirements in the first place.\r\nTable 1: Checksums of the StrongPity backdoor that will be investigated.\r\nThe StrongPity backdoor is installed via trojanized installations of legitimate and popular software products. The\r\nextensive research of Citizenlab indicates that a Telecom provider in Turkey was involved in the redirection to the\r\ntrojanized downloads to its victims.\r\nWhat is not clear to me is how the configuration data is stored in the malware. To understand how that data is\r\nstored, I will follow the regular malware reversing process. You start with static analysis. What information can\r\nyou get out of the malware sample without executing it? If things are not evident by then, you can also execute the\r\nmalware in a sandbox or run it in a so-called debugger. For readability, I will only focus on the main findings.\r\nUsually, you’ll start looking at which ‘strings’ (text) are present in the malware sample. Analyzing strings in\r\nbinary files is an essential aspect of malware analysis. This technique provides valuable information about the\r\nprogram’s use and its functionality. Usually, string output is used to develop Yara signatures. Yara is a tool to\r\nidentify and classify malware families. Unique strings, constants, or byte patterns are used in the so-called Yara\r\nsignatures to find more samples. Usually, these signatures hold indicators of compromise, like filenames or\r\nspecific user agents observed in the malware samples. Malware authors generally leverage obfuscation or\r\nhttps://anchorednarratives.substack.com/p/recover-your-files-with-strongpity\r\nPage 4 of 11\n\nencryption techniques to hide their secrets that they need to store in the binary. They will also employ anti-debugging tricks to hinder automated analysis. To leverage the Windows operating system's functionalities,\r\nmalware authors often rely on standard Windows Application Programming Interfaces (API) for their backdoors to\r\ninteract with the system. Usually, these APIs are seen in the ‘strings’ output, but malware authors can also hide\r\nthis. In the StrongPity sample, many of these APIs were observed, like CreateMutexW, CreateProcessW,\r\nWinHttpConnect, and IsDebuggerPresent. The regular ‘strings‘ command on Linux revealed no domain\r\ninformation, however.\r\nTo determine if the StrongPity malware authors employed an obfuscation technique called stack strings, the ‘floss’\r\nprogram was used. That revealed the following information:\r\nScreenshot 1: Floss detected stack strings in the StrongPity backdoor\r\nThe extracted information reveals file names (winmsism.exe. sppser.exe), but also “ndaData“ the directory where\r\nthe malware collects its information before sending it to the operators, according to the reports. Other than those\r\nindicators, I have highlighted some suspicious string patterns. By briefly assessing this output, it looks like this is\r\nthe config information stored in the StrongPity backdoor. But we need to a bit more digging, and I will use a free\r\nopen source disassembly tool called Cutter for that. A decompiler is a program that analyzes executable programs\r\nhttps://anchorednarratives.substack.com/p/recover-your-files-with-strongpity\r\nPage 5 of 11\n\nand tries to create a high-level representation of the machine code from it. Cutter has a feature to decompile an\r\nexecutable program to reconstruct the source code. This feature helps to understand the analyst's flow and how the\r\nmalware program calls certain functions or routines. By decompiling the main function of the StrongPity malware,\r\nit becomes immediately apparent how the file names and the mutex observed in the floss stack strings output are\r\nbeing passed to the relevant functions.\r\nScreenshot 2: String put on the stack passed onto the CreateMutexW function\r\nSo the mutex created from the stack strings in the StrongPity backdoor can be seen in screenshot 2.\r\nScreenshot 3: File names that were put on the stack that was detected by floss\r\nThe file names are also created from the stack-based strings values.\r\nIn screenshot 3 the function with the name fcn.0040106a(); is executed. That function leads to two so-called byte\r\nencoding algorithms by leveraging a single-byte XOR operation with 0x59 and 0x2b. Malware authors often use\r\nXOR as this algorithm obfuscates data easily. XOR is a bitwise operation. If you XOR something twice with the\r\nsame key, this will result in the original value. In the example below, the capital character “A” will be XOR’ed\r\nhttps://anchorednarratives.substack.com/p/recover-your-files-with-strongpity\r\nPage 6 of 11\n\nwith the XOR Key “B”. The output data of the XOR operation is a non-printable character (NP). If we then XOR\r\nthat value with the original XOR key “B” we have the original value back.\r\nInput data = 'A' = 01000001\r\n XOR Key = 'B' = 01000010\r\nOutput data (NP) = 00000011\r\n XOR Key = 'B' = 01000010\r\nOutput data = 'A' = 01000001\r\nAs shown in the example above, these operations can result in unreadable information as non-printable characters\r\nare not printed or detected by the ‘strings’ or ‘floss’ utilities. Let’s continue with the analysis.\r\nScreenshot 4: Strings put on the stack are xor’ed with 0x59\r\nThe XOR operation with the 0x59 byte values will eventually decode the encoded stack strings to the first domain\r\nand URL, namely “hxxps://transferprotocolpolicy.com/parse_ini_file.php\" The XOR operation with the 0x2b byte\r\nvalues finally results in the following domain and URL after decoding\r\n“hxxps://transferprotocolpolicy.com/phpinfo.php\"\r\nSo after the static analysis, the StrongPity sample was executed in x64dbg on my isolated virtual machine for\r\nsome dynamic confirmation of the initial findings. By setting a breakpoint on the CreateMutexW and\r\nGetTempPathW API functions, the StrongPity backdoor reveals the creation of the same mutex and later on\r\ndeobfuscation of the domains and URL used by the StrongPity actors. I will briefly describe the findings with\r\nsome screenshots below.\r\nhttps://anchorednarratives.substack.com/p/recover-your-files-with-strongpity\r\nPage 7 of 11\n\nScreenshot 5:CreateMutex creation based on the stack strings floss output\r\nScreenshot 6: Encoded stack strings stored in memory (dump) before first XOR (0x59) routine\r\nScreenshot 6 displays the stack strings (partially) found by floss, encoding the domain name.\r\nScreenshot 7: Decoded stacked strings stored in memory (dump) after XOR (0x59) routine\r\nhttps://anchorednarratives.substack.com/p/recover-your-files-with-strongpity\r\nPage 8 of 11\n\nScreenshot 8: StrongPity backdoor immediately collects data found on the compromised system\r\nAfter installing the StrongPity backdoor on my virtual machine, the backdoor immediately starts gathering files\r\nbased on a certain extension and temporarily stores it in a compressed file “config.bin” before it wants to send it\r\nto the command and control server. Some content is displayed in screenshot 8. Bonus question for reversers. Who\r\nrecognizes the pdf file?\r\nAfter assessing the StrongPity backdoor with floss, it immediately became clear that many backdoor configuration\r\nitems are stored in stack strings in the binary, like mutex, directory, file names, and domain information.\r\nPotentially to evade normal detection. By leveraging the power of the decompilation feature of the Cutter reverse\r\nengineer platform, the single-byte xor obfuscation algorithms were quickly detected.\r\nStrongPity backdoors are good candidates for Yara rules as the backdoors contain many strings, constants, and\r\nbyte patterns that can be leveraged in Yara rules. Over time the actor behind the StrongPity backdoor makes small\r\nupdates to the backdoor.\r\nBased upon the intelligence gathered by other security companies and by leveraging the power of VirusTotal\r\nIntelligence (VTI), you can really start hunting on this adversary. VTI has a great feature called the search for\r\nsimilar samples like these. With that search, the samples below were found. One additional remark, this great\r\npublication platform does not support tables, hence the screenshots. If you’re interested in the malware samples,\r\nfeel free to reach out.\r\nScreenshot 9: Similar malware samples found via VTI.\r\nBased on additional Twitter intelligence and using the same functionality, some newer samples were discovered.\r\nhttps://anchorednarratives.substack.com/p/recover-your-files-with-strongpity\r\nPage 9 of 11\n\nScreenshot 10: Newer samples of the StrongPity backdoor were found.\r\nAs was discussed in the background of the StrongPity paragraph the alleged Turkish nation-state actor leverages\r\npopular software. The sample with the value\r\n“dfd0f4b821438d8a9277728e42ab58bdc2667aa7173892ffd6ede75a5d5645f5” was installed via a trojanized\r\nversion of Partition and Mount which was uploaded in Korea. That trojanized version can be downloaded from\r\nVT as well with the following sha256 checksum:\r\n“0e4651625abda88df56952b7e97d7fb64a3e1ea97bfe01e931d47381c0952e98”\r\nScreenshot 11: The Trojanized version of Partition and Mount.\r\nBased on industry intelligence reports and my own brief malware analysis, it becomes clear that the alleged\r\nTurkish nation-state actor StrongPity is likely running a massive and multi-year data collection program and is\r\napparently successful. Citizenlabs and Bitdefender reported strong indications of Turkish nation-state\r\ninvolvement. The backdoor received small updates periodically, and the collection infrastructure has been\r\nimproved over time. The actor was initially focusing on the Middle Eastern region. The actor is now also focusing\r\non Europe, Asia, and Canada. The claims of massive phishing campaigns by Cyble were not substantiated by\r\nevidence in their report. The same holds for LMNTR, who claimed that StrongPity targeted Financial\r\norganizations, Industrial plants, and Educational organizations after compromising victims' computers. It could be\r\nthat LMNTR found detections originating from those organizations after some employees downloaded this\r\ntrojanized software. Still, their research does not explain how compromised victims attacked the referred\r\ncompanies. It would be very interesting if the StrongPity actors are utilizing compromised victim machines in\r\nhttps://anchorednarratives.substack.com/p/recover-your-files-with-strongpity\r\nPage 10 of 11\n\ntheir attacks. Also, the malware research of both Cyble and LMNTR was not very detailed or sometimes blurred\r\nout to agree with that research.\r\nOverall, the StrongPity backdoor is well detected by the anti-virus industry. This assumes that the actor is less\r\nsuccessful in company networks and is more focused on citizens. This triggered a thought. Do the victims of the\r\nStrongPity actor have a working anti-virus solution? I sometimes support friends and family with computer issues\r\nbut rarely detect a working anti-virus solution on their private computer. Based upon the minimal updates in the\r\nmodus operandi and sophistication of this actor, I suspect not. The method that the actor employs is a nice one.\r\nWho is not downloading these targeted tools sometimes? Under the above conditions, why would a victim know\r\nthey are downloading a trojanized version of a certain utility. What worries me a bit is the massive amount of data\r\ncollection and processing infrastructure that the actor needs to maintain. Based on samples uploaded in VT, I\r\nassume that large amounts of data are uploaded into their operated infrastructure. The data collected needs to be\r\nprocessed as well to make it actionable. I wonder what kind of data lake the StrongPity actors have. For next time\r\nwatch out when you want to recover some files and install StrongPity on your system.\r\nSource: https://anchorednarratives.substack.com/p/recover-your-files-with-strongpity\r\nhttps://anchorednarratives.substack.com/p/recover-your-files-with-strongpity\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://anchorednarratives.substack.com/p/recover-your-files-with-strongpity" ], "report_names": [ "recover-your-files-with-strongpity" ], "threat_actors": [ { "id": "67fbc7d7-ba8e-4258-b53c-9a5d755e1960", "created_at": "2022-10-25T16:07:24.077859Z", "updated_at": "2026-04-10T02:00:04.860725Z", "deleted_at": null, "main_name": "Promethium", "aliases": [ "APT-C-41", "G0056", "Magenta Dust", "Promethium", "StrongPity" ], "source_name": "ETDA:Promethium", "tools": [ "StrongPity", "StrongPity2", "StrongPity3", "Truvasys" ], "source_id": "ETDA", "reports": null }, { "id": "cbede712-4cc3-47c6-bf78-92fd9f1beac6", "created_at": "2022-10-25T15:50:23.777222Z", "updated_at": "2026-04-10T02:00:05.399303Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "PROMETHIUM", "StrongPity" ], "source_name": "MITRE:PROMETHIUM", "tools": [ "Truvasys", "StrongPity" ], "source_id": "MITRE", "reports": null }, { "id": "4660477f-333f-4a18-b49b-0b4d7c66d482", "created_at": "2023-01-06T13:46:38.511962Z", "updated_at": "2026-04-10T02:00:03.007466Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "StrongPity", "G0056" ], "source_name": "MISPGALAXY:PROMETHIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434719, "ts_updated_at": 1775826742, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c57dcbab6f12e1a72a7a9f70ffa1457017b407f9.pdf", "text": "https://archive.orkl.eu/c57dcbab6f12e1a72a7a9f70ffa1457017b407f9.txt", "img": "https://archive.orkl.eu/c57dcbab6f12e1a72a7a9f70ffa1457017b407f9.jpg" } }