Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Two APTs Used Same Zero-Day to Target Individuals in Europe

Researchers at Microsoft have observed two separate advanced persistent threat (APT) actors that leveraged the same Flash Player zero-day vulnerability to spy on Turkish citizens living in Turkey and various other European countries.

Researchers at Microsoft have observed two separate advanced persistent threat (APT) actors that leveraged the same Flash Player zero-day vulnerability to spy on Turkish citizens living in Turkey and various other European countries.

Dubbed by Microsoft PROMETHIUM and NEODYMIUM – the company assigns chemical element names to threat actors – the groups used different infrastructure and malware, but there are some similarities that indicate a possible connection at a higher organizational level.

The attacks, spotted in early May, leveraged a Flash Player exploit (CVE-2016-4117) that Adobe patched on May 12. The groups used the same exploit at the same time, before it was publicly disclosed, and against the same type of targets.

The group tracked as PROMETHIUM has been active since at least 2012. In the attacks observed by Microsoft, the actor sent out links via instant messaging applications. The links pointed to documents set up to exploit CVE-2016-4117 in an effort to deliver a piece of malware dubbed Truvasys.

Truvasys has been mainly observed in western European countries, but it has been configured to target devices with Turkish locale settings (i.e. parameters that define the user’s language and region). This indicates that the attackers were particularly interested in Turkish citizens living in Turkey and western European countries.

In some cases, the attackers also delivered a piece of malware named Myntor, but Microsoft has not been able to determine the criteria for pushing this second threat onto a victim’s computer.

PROMETHIUM’s activities have also been analyzed by Kaspersky Lab, which named the group and its malware StrongPity. In the attacks observed by the security firm, the actor used watering holes and poisoned application installers to deliver their malware. Kaspersky noted in its analysis that StrongPity’s techniques were similar to the ones of Russia-linked threat actor Crouching Yeti (aka Energetic Bear and Dragonfly).

Advertisement. Scroll to continue reading.

NEODYMIUM also leveraged the same CVE-2016-4117 exploit in early May, before its existence was disclosed. The attackers used spear-phishing emails carrying malicious documents to deliver their malware.

This group has used a backdoor, dubbed by Microsoft Wingbird, that is very similar to the notorious government-grade commercial spyware FinFisher. Researchers believe Wingbird is a relatively new version of FinFisher.

“The publisher, FinFisher GmbH, claims that it sells the software exclusively to government agencies for use in targeted and lawful criminal investigations,” Microsoft said. “The apparent use of a version of FinFisher suggests that the exploit and the spear phishing campaign that delivered it were the work of an attack group probably connected in some way to a state actor.”

More than 80 percent of NEODYMIUM victims spotted by Microsoft were located in Turkey, but infections were also detected in the U.S., Germany and the U.K. The company pointed out that Wingbird has only been used to target individuals, not devices that are part of an organization’s network.

Additional details on PROMETHIUM and NEODYMIUM, including indicators of compromise (IoC), are available in Microsoft’s latest Security Intelligence Report.

Related: Pawn Storm Group Targets Turkey

Related: Turkey to Probe Massive ‘Personal Data Leak’

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...