← All Threat Actors
Threat Actor Profile

PROMETHIUM

G0056 StrongPity
▲ High Threat
PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.
Origin Turkey

Known TTPs

Malicious File
Code Signing Certificates
Local Accounts
Digital Certificates
Registry Run Keys / Startup Folder
Windows Service
Match Legitimate Resource Name or Location
Masquerade Task or Service
Code Signing
Port Knocking
Drive-by Compromise

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD