⚠️ Overview

StrongPity (also tracked as APT-C-41 and Promethium) is an advanced persistent threat (APT) group believed to operate on behalf of the Turkish government, first publicly documented by Kaspersky in 2016. The malware family is classified as a spyware and backdoor, primarily deployed through trojanized legitimate software installers (e.g., WinRAR, CCleaner, and VPN clients) to compromise targets in Turkey, Syria, the Middle East, and Europe. The group is attributed to the Turkish National Intelligence Organization (MIT) by multiple researchers including ESET and the Citizen Lab.

🔧 Technical Capabilities

StrongPity uses watering-hole attacks and trojanized software to achieve initial access, replacing legitimate download links on compromised websites with malicious installers. The malware variant known as StrongPity3 (reported by ESET in 2020) employs a modular architecture: the dropper extracts a DLL payload that establishes persistence via a scheduled task or registry Run key (MITRE ATT&CK T1053.005, T1547.001). Communication with C2 infrastructure uses HTTPS over ports 443 and 8080, with traffic mimicking legitimate web requests using a custom User-Agent string: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36. Evasion techniques include anti-debugging checks, sandbox detection via VM artifacts (e.g., checking for VMware tools), and encrypted configuration files stored in the %AppData% folder. The backdoor can enumerate files, capture screenshots, log keystrokes, and exfiltrate documents (particularly .doc, .pdf, .rar, .zip) to C2 servers.

📜 History & Notable Incidents

StrongPity first appeared in 2016 when Kaspersky disclosed a campaign targeting Turkish-speaking users with trojanized versions of WinRAR and Advanced Encryption Package. In 2018, ESET reported a second wave targeting activists and dissidents in Turkey, Syria, and Iran using trojanized CCleaner and VPN applications. A 2020 campaign (dubbed StrongPity3) involved a new payload that exploited CVE-2020-0601 (the Windows CryptoAPI spoofing vulnerability) to sign malicious executables with a fraudulent certificate. No law enforcement actions have been reported against the group as of 2025.

🔍 Detection Indicators

Known file hashes include SHA256 4a1f2c3d... (example placeholder — actual IOCs are available in ESET and Kaspersky reports). Behavioral signatures include the creation of mutex GlobalStrongPity2016Mutex and registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunStrongPity. Network IOCs include C2 domains such as microsoft-update[.]com and IP ranges used by Turkish hosting providers (e.g., 185.106.92.0/24). User-Agent strings specific to StrongPity variants often contain Accept-Encoding: gzip, deflate without a standard browser referrer.

☠️ Risk & Impact

StrongPity enables the complete exfiltration of sensitive documents, intellectual property, and personal communications, particularly targeting government agencies, human rights activists, journalists, and academics in geopolitically sensitive regions. The 2018 ESET report noted that victims included Syrian opposition groups and Turkish civil society organizations. Financial losses are indirect but significant due to compromised national security and human rights violations. The malware has been linked to the jailing of several activists in Turkey based on intercepted communications.

🛡️ Mitigation

Organizations should implement application whitelisting, disable unnecessary software installations, and enforce strict software supply chain verification using digital signatures. Network defenders can deploy YARA rules published by Kaspersky (e.g., rule StrongPity_3) and monitor for anomalous UseNet traffic on ports 443/8080. Regular patching of CVE-2020-0601 and other relevant vulnerabilities is critical, as is using endpoint detection tools (e.g., EDR solutions from ESET or CrowdStrike) that include behavioral signatures for backdoor commands like file steal and screenshot capture.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.