Home/Threat Actor/StrongPity / Promethium
Threat Actor

StrongPity / Promethium

strongpity_promethium · turkey · active since 2012

StrongPity / Promethium (canonical Kaspersky GReAT naming "StrongPity" per October 2016 first public disclosure; Microsoft canonical naming "Promethium".

Cisco Talos 2020 "StrongPity3" naming for retooled era) is a Turkey-aligned cyber-espionage cluster active publicly since at least 2012 per Cisco Talos canonical assessment, approximately 14 years of tracked operational continuity through multiple major public-disclosure burns.

primary operational mission objectives of intelligence collection from Kurdish community members in Turkey and Syria, encryption-software users, privacy-conscious users, and Turkish strategic-interest targets.

Turkey-aligned attribution operates at strong- indicator level (no formal Turkish government acknowledgment) supported by operator working-hours pattern alignment with Turkish timezone (UTC+2 Monday-Friday 9-to-6 per Bitdefender), signature Kurdish community targeting, timestamp coincidence with Turkish military "Operation Peace Spring" October 2019 offensive against Kurdish SDF in northeastern Syria per Bitdefender, ISP-level AitM via Türk Telekom Sandvine/ Procera DPI per Citizen Lab March 2018 canonical disclosure; signature operational tradecraft is trojanized installer distribution of legitimate software (2016 era: WinRAR + TrueCrypt targeting encryption-software / privacy-conscious users.

2019+ era: WinBox Mikrotik router management + Firefox + TeamViewer + 7-zip + WhatsApp + CCleaner + McAfee Security Scan Plus + Recuva + Disk Drill + DAEMON Tools Lite + Glary Utilities + RAR Password Unlocker + VPNpro + DriverPack)

ISP-level AitM via Sandvine/Procera DPI tradecraft operationally consistent with Turkish state- aligned operational support enabling ISP-level traffic interception.

watering-hole tactics on compromised legitimate software distribution sites + look-alike WinRAR/ TrueCrypt distribution domains.

3-tiered C&C infrastructure for forensic investigation obfuscation.

File Searcher component looping through drives for specific extensions + temporary .ZIP archive + split into hidden .SFT encrypted files for C&C exfiltration.

AV-check evasion before payload drop (fake Firefox installer checks for Malwarebytes/ESET/ Bitdefender)

1,000+ systems infected in 2016 era (top 5 countries Italy + Turkey + Belgium + Algeria + France); ~47 different servers / ~30 new C2 domains identified per Cisco Talos 2019-2020 analysis.

targeting expansion to Colombia + India + Canada + Vietnam per Cisco Talos; signature operational resilience pattern across multiple major disclosure burns (Kaspersky 2016, Microsoft 2016, ESET 2017, Citizen Lab 2018, AT&T 2019, Bitdefender 2020, Cisco Talos 2020) without operational cessation.

operationally adjacent to moustachedbouncer (curated separately) via shared AitM-at-ISP-level tradecraft operational lineage per ESET MoustachedBouncer 2023 analysis.

fills the Turkey- aligned historical APT cell in the curated corpus.

turkey confidence: high 9 aliases MITRE ATT&CK G0056 ↗
Sigma rules200 YARA rules6 Live IOCs0 CVEs exploited3

Profile

StrongPity / Promethium (canonical Kaspersky GReAT naming "StrongPity" per October 2016 first public disclosure; Microsoft canonical naming "Promethium".

Cisco Talos 2020 "StrongPity3" naming for retooled era) is a Turkey-aligned cyber-espionage cluster active publicly since at least 2012 with primary operational mission objectives of intelligence collection from Kurdish community members in Turkey and Syria, encryption-software users, privacy-conscious users, and Turkish strategic-interest targets. Turkey-aligned attribution operates at strong-indicator level across major cybersecurity industry analysts but formal Turkish government acknowledgment has never been issued. Attribution evidence streams include: (a) operator working-hours pattern alignment with Turkish timezone (UTC+2 Monday-Friday 9-to-6 per Bitdefender)

(b) signature Kurdish community targeting in Turkey + Syria.

(c) timestamp coincidence with Turkish military "Operation Peace Spring" (October 1, 2019 onward)

(d) ISP-level AitM operations via Türk Telekom Sandvine/Procera DPI per Citizen Lab March 2018 disclosure. Operational phases: (1) OPERATIONAL EMERGENCE (2012). Cisco Talos established cluster active period since 2012. Limited public-visibility pre-2016. (2) ITALY + BELGIUM WATERING-HOLE ERA (2016). October 2016 Kaspersky GReAT canonical disclosure. Trojanized WinRAR + TrueCrypt installers via watering-hole tactics. 1,000+ systems infected. Top 5 countries: Italy, Turkey, Belgium, Algeria, France. (3) MICROSOFT PROMETHIUM ZERO-DAY ERA (Late 2016). Microsoft research showing the group targeting individuals in Europe with zero-day vulnerabilities. (4) ESET ISP-LEVEL AITM DISCLOSURE (2017). Promethium / StrongPity variant identified at ISP level in two unnamed countries, signaling tradecraft evolution. (5) CITIZEN LAB TÜRK TELEKOM SANDVINE DPI ERA (March 2018). Canonical disclosure of ISP-level AitM via Sandvine/Procera DPI on Türk Telekom network targeting Kurdish users in Turkey + Syria. (6) AT&T ALIEN LABS WINBOX / WINRAR RETOOLED ERA (July 2019). Trojanized WinBox (Mikrotik router management) + WinRAR installers after toolset rebuild. (7) BITDEFENDER KURDISH TARGETING DISCLOSURE (June 2020). Comprehensive Kurdish community targeting with timestamp alignment to Turkish "Operation Peace Spring" military offensive against Kurdish SDF in northeastern Syria. (8) CISCO TALOS STRONGPITY3 ERA (June 2020). Continued tradecraft evolution + ~30 new C2 domains identified in 2019. Targeting expansion to Colombia, India, Canada, Vietnam. (9) CONTINUED OPERATIONS (2020-2026). Sustained operational tempo through 2026.

Signature operational tradecraft
  • Trojanized installer tradecraft (most operationally distinctive): signature distribution of trojanized legitimate software installers. 2016 era: WinRAR + TrueCrypt (targeting encryption-software users + privacy-conscious users). 2019+ era: WinBox (Mikrotik router management), Firefox, TeamViewer, 7-zip, WhatsApp, CCleaner, McAfee Security Scan Plus, Recuva, Disk Drill, DAEMON Tools Lite, Glary Utilities, RAR Password Unlocker, VPNpro, DriverPack.
  • ISP-level AitM via Sandvine/Procera DPI tradecraft (signature 2018+): per Citizen Lab, installer redirect via Türk Telekom DPI equipment. Operationally consistent with Turkish state-aligned operational support enabling ISP-level traffic interception.
  • Watering-hole tactics on legitimate software distribution sites: signature 2016-era tradecraft, compromised localized software-sharing sites + look-alike WinRAR/ TrueCrypt distribution domains redirecting to poisoned installers.
  • 3-tiered C&C infrastructure (signature 2020+): for forensic investigation obfuscation.
  • File Searcher component looping through drives: signature exfiltration component finding files with specific extensions, placing in temporary .ZIP archive, splitting into hidden .SFT encrypted files for C&C exfiltration.
  • AV-check evasion before payload drop: signature tradecraft of fake Firefox installer checking for Malwarebytes, ESET, or Bitdefender before dropping payload.
  • Working hours UTC+2 Monday-Friday 9-to-6 pattern: signature operator timezone alignment with Turkey.
  • Predefined IP list selective targeting: signature victim selectivity tradecraft.
  • Kurdish community targeting in Turkey + Syria: signature primary mission objective.
  • Timestamp alignment with Turkish military operations: Operation Peace Spring (October 2019) timestamp correlation operationally supporting Turkish state-aligned attribution.
  • Operational resilience post-disclosure (~14 years tracked operational continuity through multiple major disclosure burns). The cluster fills the Turkey-aligned historical APT cell in this curated corpus, fills a uniquely under-represented nation-attribution cell. Operationally adjacent to moustachedbouncer (curated separately as Belarus-aligned AitM-at-ISP) via shared AitM-at-ISP-level tradecraft operational lineage per ESET MoustachedBouncer 2023 analysis.

Aliases

9
strongpitystrong pitystrongpity aptpromethiumpromethium aptstrongpity3esat strongpitystrongpity_promethiumstrongpity turkey

Notable Campaigns

10
2020-2026Continued Operations Through 2020-2026
2020Bitdefender Kurdish Community Targeting Disclosure (June 2020)
2020Cisco Talos StrongPity3 Disclosure (June 2020)
2019AT&T Alien Labs WinBox / WinRAR Retooled Disclosure (July 2019)
2018Citizen Lab Türk Telekom Sandvine/Procera DPI Disclosure (March 2018)
2017ESET ISP-Level AitM Tradecraft Disclosure (2017)
2016Italy + Belgium 2016 Watering-Hole Era + Kaspersky GReAT Canonical Disclosure (October 2016)
2016Microsoft Promethium Zero-Day Disclosure (Late 2016)
2012-PresentOperational Resilience Pattern (Hallmark of StrongPity Actors)
2012StrongPity / Promethium Operational Emergence (2012)

Attribution & Reporting

Attributed by
Kaspersky GReATMicrosoft Threat Intelligence CenterESETCisco TalosBitdefenderAT&T Alien LabsCylance / BlackBerryCitizen Lab (University of Toronto)Sandvine / Procera NetworksTrend MicroMandiantCrowdStrikeSOPHOS X-OpsSentinelOne / SentinelLabsKurt Baumgartner (Kaspersky GReAT principal security researcher)Warren Mercer + Paul Rascagneres + Vitor Ventura (Cisco Talos)Liviu Arsene + Radu Tudorica + Cristina Vatamanu + Alexandru Maximciuc (Bitdefender)
Key reporting
reportKaspersky GReAT (Kurt Baumgartner): On the StrongPity APT, Trojanized Crypto-Tools (Securelist, October 2016), canonical first public disclosure
reportMicrosoft Threat Intelligence Center: Promethium Twin Zero-Day Attacks (November 2016)
reportESET: StrongPity APT, Evolution and Prowess (March 2018), canonical ISP-level AitM tradecraft disclosure
reportCitizen Lab (University of Toronto): Bad Traffic, Sandvine's PacketLogic Devices Deploy Government Spyware in Turkey and Syria (March 2018), canonical Türk Telekom Sandvine DPI disclosure
reportAT&T Alien Labs: StrongPity Retooled Spyware Campaign (July 2019)
reportCylance / BlackBerry: StrongPity Operational Resilience Analysis (Q4 2018)
reportBitdefender (Liviu Arsene + Radu Tudorica + Cristina Vatamanu + Alexandru Maximciuc): StrongPity APT, Revealing Trojanized Tools, Working Hours and Infrastructure (June 30, 2020), canonical Kurdish community + working hours analysis
reportCisco Talos (Warren Mercer + Paul Rascagneres + Vitor Ventura): PROMETHIUM Extends Global Reach with StrongPity3 APT (June 2020), canonical StrongPity3 naming + operational expansion
reportSandvine / Procera Networks: Denial of Complicity Statement Re Türk Telekom DPI Spyware Use
reportTrend Micro: StrongPity Adjacent Cluster Tracking
reportMandiant: StrongPity / Promethium Continued Tracking
reportCrowdStrike Global Threat Report: Turkey-Aligned Cluster Tracking
reportSOPHOS X-Ops: StrongPity Operational Profile
reportSentinelLabs: StrongPity Operational Analysis
reportMITRE ATT&CK Group G0056, PROMETHIUM
reportMalpedia Actor Profile: Promethium / StrongPity

Operational

State sponsor

Turkey-aligned cluster, Turkey attribution operates at strong-indicator level across multiple major cybersecurity industry analysts but no formal acknowledgment has been issued by the Turkish government. Per Bitdefender June 2020 analysis: "While there is no direct forensic evidence suggesting that the StrongPity APT group operated in support of Turkish military operations, the victim's profile coupled with the timestamps on the analyzed samples make for an interesting coincidence." Per SecurityWeek: "The group is believed to be state-sponsored, but there appears to be little evidence to support that." Turkey-aligned attribution operationally supported by multiple convergent evidence streams: (a) Operator working-hours pattern alignment with Turkish timezone: per Bitdefender canonical analysis: "Interestingly, all files investigated pertaining to the tainted applications appear to have been compiled from Monday to Friday, during normal 9 to 6 UTC+2 working hours. This strengthens the idea that StrongPity could be a sponsored and organized developer team paid to deliver certain 'projects.'" UTC+2 working hours align with Turkey timezone (now UTC+3 after Turkey's 2016 permanent DST cancellation, but historical analysis covers UTC+2 era).

(b) Kurdish community targeting in Turkey + Syria: signature primary targeting focus on Kurdish ethnic group victims in Turkey and Syria, operationally consistent with Turkish state strategic interest in Kurdish separatist movement surveillance (PKK / YPG / SDF adjacent). Per Bitdefender 2020 disclosure: "Since late 2019, Bitdefender has observed numerous attacks focusing on victims in Istanbul and close to the Syrian border, which led to the assumption that the Kurdish community is being targeted." (c) Timestamp coincidence with Turkish military operations: per Bitdefender: "In one campaign, the observed samples all have creation timestamps after October 1, 2019, the date Turkey launched its offensive into northeastern Syria [Operation Peace Spring]." The temporal alignment with Turkish military "Operation Peace Spring" (Operation Source of Peace / Barış Pınarı Harekâtı) against Kurdish SDF forces in northeastern Syria operationally supports Turkish state-aligned operational attribution. (d) ISP-level AitM operations via Türk Telekom: per Citizen Lab March 2018 disclosure: StrongPity attacks occurred at the ISP level by abusing Sandvine/Procera deep packet inspection (DPI) equipment deployed on Türk Telekom (Turkey's primary telecommunications provider) network.

The ISP-level AitM tradecraft is operationally significant because it requires either (a) cooperation with Türk Telekom (state-controlled Turkey ISP), or (b) compromise of Türk Telekom DPI infrastructure, both operationally consistent with Turkish state-aligned operational capabilities. Sandvine denied complicity in the attribution. (e) Original 2016 victim distribution: per Kaspersky GReAT October 2016 canonical disclosure: top five countries affected by the StrongPity 2016 campaign were Italy, Turkey, Belgium, Algeria, and France.

Turkey appearing among the top five affected countries despite the cluster operating from Turkey is operationally explained by Turkish state-aligned domestic Kurdish dissident surveillance operations, Turkish citizens of Kurdish ethnic background operationally constitute legitimate targets for Turkish state-aligned domestic surveillance regardless of cluster operational base. Operational significance: per Cisco Talos 2020 analysis: "The PROMETHIUM threat actor, active since 2012, has been exposed multiple times over the past several years. However, this has not deterred this actor from continuing and expanding their activities." The cluster operates with operationally distinctive resilience to public-disclosure attribution attempts, operationally consistent with well-resourced state-aligned operational support enabling continuous tradecraft refresh post-burn.

Per Cisco Talos: "By matching indicators such as code similarity, command and control (C2) paths, toolkit structure and malicious behavior, Cisco Talos identified around 30 new C2 domains [in 2019]." Per The Hacker News: "These characteristics can be interpreted as signs that this threat actor could in fact be part of an enterprise service for hire operation", though state-sponsored remains the industry-consensus assessment. The cluster fills the Turkey-aligned historical APT cell in this curated corpus, fills a uniquely under-represented nation-attribution cell alongside dark_caracal (Lebanon- aligned, curated separately) and adjacent rare-attribution clusters.

Motivations
turkey_state_aligned_intelligence_collection, kurdish_community_surveillance_turkey_syria, kurdish_separatist_movement_surveillance, dissident_journalist_activist_surveillance, turkish_strategic_interest_intelligence, selective_encryption_software_user_surveillance, privacy_conscious_user_surveillance
Sectors
kurdish_communitykurdish_journalistskurdish_activistskurdish_dissidentsencryption_software_usersprivacy_conscious_userscorporate_usersit_administratorssecurity_conscious_users
Regions
turkeysyriaitalybelgiumalgeriafrancecolombiaindiacanadavietnam

Techniques Used

60
T1003T1005T1010T1012T1016T1020T1021T1027T1027.001T1027.002T1027.005T1033T1036T1036.005T1039T1041T1048T1048.003T1053T1053.005T1056T1056.001T1057T1059T1059.001T1059.003T1059.005T1068T1070T1070.004T1071T1071.001T1074T1074.001T1078T1080T1082T1083T1090T1090.001T1090.002T1106T1119T1129T1133T1140T1189T1190T1195T1195.002T1204T1204.001T1204.002T1213T1218T1218.005T1497T1497.001T1518T1543

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)58/60 · 96%
Analytics (MITRE CAR)26/60 · 43%
Runtime / container (Falco)9/60 · 15%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)14/60 · 23%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
SANDVINE PROCERA DPI ABUSESTRONGPITY3 RETOOLED 2020STRONGPITY SPYWARE PLATFORM

CVEs Exploited

3
CVECVE-2016-7256
CVECVE-2016-7855
CVECVE-2016-7892
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin