Polonium was initially detailed by Microsoft in June 2022, but evidence suggests that the group has been active since at least September 2021, mainly focusing on cyberespionage.

Operating out of Lebanon, the APT is believed to be working with threat actors affiliated with Iran in the targeting of more than 20 communications, engineering, insurance, information technology, law, marketing, media, and social services entities in Israel.

An active threat that constantly updates its toolset, Polonium has been using seven different backdoors and custom tools slightly modified between attacks, and has been abusing cloud services for command and control (C&C) communications.