POLONIUM APT

POLONIUM APT (also known as Plaid Rain (formerly POLONIUM)) is a state-sponsored advanced persistent threat group attributed to Lebanon (Hezbollah-affiliated, Iran-backed), active since 2021. The group primarily targets Israel IT, manufacturing, defense sectors.

Overview & Attribution

Lebanon-based, Iran-backed APT exclusively targeting Israeli organizations using OneDrive for C2 and a suite of custom 'Creepy' implants.

Threat Assessment

POLONIUM APT has been active since 2021, attributed to Lebanon (Hezbollah-affiliated, Iran-backed). The group is known for targeting Israel IT, manufacturing, defense using a combination of custom malware, living-off-the-land techniques, and sophisticated social engineering.

Attribution: Lebanon (Hezbollah-affiliated, Iran-backed)
Active since: 2021
Primary targets: Israel IT, manufacturing, defense
Also known as: Plaid Rain (formerly POLONIUM)

Arsenal & Tools

POLONIUM APT employs a diverse arsenal of custom and shared tooling:

CreepyDrive: Custom/shared tooling used in operations
CreepySnail: Custom/shared tooling used in operations
FlipCreep: Custom/shared tooling used in operations
TechnoCreep: Custom/shared tooling used in operations

Targeting & Operations

The group focuses on Israel IT, manufacturing, defense sectors, with operations spanning multiple geographic regions. Their campaigns typically involve carefully crafted spearphishing, strategic watering holes, and exploitation of public-facing applications.

Operational Pattern

POLONIUM APT is characterized by persistent, long-term access operations. Once inside a target network, the group establishes multiple redundant persistence mechanisms and moves laterally to high-value systems before beginning data exfiltration.

MITRE ATT&CK Mapping

Tactic	Technique	Usage
Initial Access	T1190 Exploit Public-Facing App	VPN/Fortinet exploitation
Execution	T1059.001 PowerShell	PowerShell payloads
Persistence	T1053.005 Scheduled Task	Scheduled task persistence
Defense Evasion	T1027 Obfuscated Files	Code obfuscation
C2	T1102 Web Service	OneDrive/Dropbox C2
Exfiltration	T1567.002 Exfil to Cloud	Cloud-based exfiltration

Notable Campaigns

POLONIUM APT has been linked to multiple significant campaigns targeting Israel IT, manufacturing, defense organizations. The group continuously evolves its tooling and infrastructure to evade detection while maintaining persistent access to compromised networks.

Long-term espionage: Multi-year intrusions into government and defense networks
Supply chain targeting: Compromise of technology providers and managed service providers
Zero-day exploitation: Use of previously unknown vulnerabilities for initial access

Detection & Defense

Threat intelligence integration: Monitor for known POLONIUM APT IOCs and TTPs in SIEM/EDR platforms
Network monitoring: Detect C2 patterns associated with CreepyDrive and related tooling
Email security: Implement advanced phishing detection for spearphishing campaigns
Endpoint detection: Deploy behavioral detection rules for known POLONIUM APT TTPs
Patch management: Prioritize patching of vulnerabilities known to be exploited by this group
Lateral movement detection: Monitor for suspicious authentication patterns and admin tool usage

Defend Against POLONIUM APT

Mjolnir Security provides specialized capabilities to detect and respond to POLONIUM APT operations.

APT DetectionThreat HuntingIncident ResponseMDR ServicesThreat Intelligence

APT Threat Hunting Proactive hunting for POLONIUM APT TTPs, tooling artifacts, and infrastructure indicators within your environment.
Threat Intelligence Continuous monitoring of POLONIUM APT campaigns and infrastructure changes with actionable intelligence for your defense team.
24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.

Written by: Mjolnir Security  |  Published: January 27, 2026