Threat Actor Profile
Description
NEODYMIUM is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims. The group has demonstrated similarity to another activity group called PROMETHIUM due to overlapping victim and campaign characteristics. (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21) NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified. (Citation: CyberScoop BlackOasis Oct 2017)
Confidence Score
Known Aliases
Tags
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'aliases': ['NEODYMIUM'],
'created': '2018-01-16T16:13:52.465Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '[NEODYMIUM](https://attack.mitre.org/groups/G0055) is an '
'activity group that conducted a campaign in May 2016 and has '
'heavily targeted Turkish victims. The group has demonstrated '
'similarity to another activity group called '
'[PROMETHIUM](https://attack.mitre.org/groups/G0056) due to '
'overlapping victim and campaign characteristics. (Citation: '
'Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol '
'21) [NEODYMIUM](https://attack.mitre.org/groups/G0055) is '
'reportedly associated closely with '
'[BlackOasis](https://attack.mitre.org/groups/G0063) '
'operations, but evidence that the group names are aliases has '
'not been identified. (Citation: CyberScoop BlackOasis Oct '
'2017)',
'external_references': [{'external_id': 'G0055',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/groups/G0055'},
{'description': '(Citation: Microsoft NEODYMIUM Dec '
'2016) (Citation: Microsoft SIR Vol '
'21)',
'source_name': 'NEODYMIUM'},
{'description': 'Microsoft. (2016, December 14). Twin '
'zero-day attacks: PROMETHIUM and '
'NEODYMIUM target individuals in '
'Europe. Retrieved November 27, 2017.',
'source_name': 'Microsoft NEODYMIUM Dec 2016',
'url': 'https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/'},
{'description': 'Anthe, C. et al. (2016, December '
'14). Microsoft Security Intelligence '
'Report Volume 21. Retrieved November '
'27, 2017.',
'source_name': 'Microsoft SIR Vol 21',
'url': 'http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf'},
{'description': 'Bing, C. (2017, October 16). Middle '
'Eastern hacking group is using '
'FinFisher malware to conduct '
'international espionage. Retrieved '
'February 15, 2018.',
'source_name': 'CyberScoop BlackOasis Oct 2017',
'url': 'https://www.cyberscoop.com/middle-eastern-hacking-group-using-finfisher-malware-conduct-international-espionage/'}],
'id': 'intrusion-set--025bdaa9-897d-4bad-afa6-013ba5734653',
'modified': '2025-04-25T14:49:46.469Z',
'name': 'NEODYMIUM',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'spec_version': '2.1',
'type': 'intrusion-set',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_version': '1.0'}