Merge pull request #1007 from Mathieu4141/threat-actors/9f13f000-33d7…

…-4e23-a87f-877399772e86 [threat actors] Add 3 actors
MISP · Jul 27, 2024 · 22d3501 · 22d3501
2 parents 747a7b4 + 8520412
commit 22d3501
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -591,7 +591,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements
 
 [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
 
-Category: *actor* - source: *MISP Project* - total: *713* elements
+Category: *actor* - source: *MISP Project* - total: *716* elements
 
 [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]
 

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
@@ -16423,6 +16423,38 @@
       },
       "uuid": "9565bf78-7c9c-41cd-9ed0-58031f6d8978",
       "value": "UAC-0063"
+    },
+    {
+      "description": "Stargazer Goblin is a threat actor group that operates the Stargazers Ghost Network on GitHub, distributing malware and malicious links through multiple accounts. They utilize compromised and created accounts to evade detection and quickly replace banned components to continue their operations. The group has been estimated to have earned approximately $100,000 from their malicious activities, offering a Distribution as a Service platform for other threat actors to distribute their malware. Stargazer Goblin has been involved in distributing various malware families, including Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine.",
+      "meta": {
+        "refs": [
+          "https://research.checkpoint.com/2024/stargazers-ghost-network/"
+        ]
+      },
+      "uuid": "a86e4a0d-95cf-4ce0-b26c-d1fbb7cc84bc",
+      "value": "Stargazer Goblin"
+    },
+    {
+      "description": "UAC-0102 is a threat actor group targeting UKR.NET users through phishing attacks. They distribute emails with HTML file attachments that redirect users to a fraudulent website to steal authentication data. Security teams can use Sigma rules to detect their phishing campaigns and leverage IOCs provided by CERT-UA to hunt for their activity in SIEM or EDR environments.",
+      "meta": {
+        "refs": [
+          "https://socprime.com/blog/uac-0102-phishing-attack-detection-hackers-steal-authentication-data-impersonating-the-ukr-net-web-service/",
+          "https://cert.gov.ua/article/4928679"
+        ]
+      },
+      "uuid": "7dd2e8ee-4232-43f5-9866-006160f19aea",
+      "value": "UAC-0102"
+    },
+    {
+      "description": "APT45 is a North Korean cyber threat actor that has been active since at least 2009. They have conducted espionage campaigns targeting government agencies and defense industries, as well as financially-motivated operations, including ransomware development. APT45 has targeted critical infrastructure, financial organizations, nuclear research facilities, and healthcare and pharmaceutical companies. They use a mix of publicly available tools, modified malware, and custom malware families in their operations.",
+      "meta": {
+        "country": "KP",
+        "refs": [
+          "https://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine"
+        ]
+      },
+      "uuid": "02768be6-853c-4239-8fb1-823427489a86",
+      "value": "APT45"
     }
   ],
   "version": 312