PROMETHIUM threat actors have been expanding attempts to infect new targets most likely in Colombia, India, Canada, and Vietnam with its StrongPity3 malware. Using four trojanized setup files, the group is distributing malware via Firefox, VPNpro, DriverPack, and 5kPlayer. The attack vector is not known presently; however, given the nature of the trojanized files, the initial vector could be a watering hole or in-path interception. The trojanized files install the malicious files as well as the legitimate files to, seemingly, obfuscate the installation of said malicious files. Additionally, the files will alter Windows Defender to allow the dropping of the malicious files while preventing detection. The malware has the capability to exfiltrate any Microsoft Office files it finds. Differences between StrongPity2 (SP2) and StrongPity3 (SP3) are few. First, SP3 no longer uses libcurl and only uses winhttp to communicate with its C2 node(s). Additionally, persistence, which was accomplished via registry key entry, is now done via created service. This service changes its name from package to package.