Merge pull request #1040 from Mathieu4141/threat-actors/00c837cb-a201…

…-4f05-86fe-1ab7e8886663

[threat actors] Add 11 actors and some aliases

README.md

@@ -599,7 +599,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements
 
 [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
 
-Category: *actor* - source: *MISP Project* - total: *781* elements
+Category: *actor* - source: *MISP Project* - total: *792* elements
 
 [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]
 

clusters/threat-actor.json

@@ -2401,7 +2401,8 @@
           "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag",
           "https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/",
           "https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html",
-          "https://bluepurple.binaryfirefly.com/p/bluepurple-pulse-week-ending-june-64e"
+          "https://bluepurple.binaryfirefly.com/p/bluepurple-pulse-week-ending-june-64e",
+          "https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/"
         ],
         "synonyms": [
           "Pawn Storm",
@@ -2429,7 +2430,8 @@
           "Sofacy",
           "Forest Blizzard",
           "BlueDelta",
-          "Fancy Bear"
+          "Fancy Bear",
+          "GruesomeLarch"
         ],
         "targeted-sector": [
           "Military",
@@ -3517,7 +3519,9 @@
           "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html",
           "https://www.secureworks.com/research/threat-profiles/copper-fieldstone",
           "https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html",
-          "https://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/"
+          "https://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/",
+          "https://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage/",
+          "https://www.reco.ai/blog/how-apt36-elizarat-redefines-cyber-espionage"
         ],
         "synonyms": [
           "C-Major",
@@ -3529,7 +3533,8 @@
           "TMP.Lapis",
           "Green Havildar",
           "COPPER FIELDSTONE",
-          "Earth Karkaddan"
+          "Earth Karkaddan",
+          "Storm-0156"
         ],
         "targeted-sector": [
           "Activists",
@@ -10413,13 +10418,15 @@
           "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf",
           "https://mp.weixin.qq.com/s/8j_rHA7gdMxY1_X8alj8Zg",
           "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf",
-          "https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
+          "https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html",
+          "https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats"
         ],
         "synonyms": [
           "Bitter",
           "T-APT-17",
           "APT-C-08",
-          "Orange Yali"
+          "Orange Yali",
+          "TA397"
         ]
       },
       "uuid": "1e9bd6fe-e009-41ce-8e92-ad78c73ee772",
@@ -13648,7 +13655,12 @@
         "refs": [
           "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/",
           "https://web-assets.esetstatic.com/wls/2023/01/eset_apt_activity_report_t32022.pdf",
-          "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/"
+          "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/",
+          "https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html",
+          "https://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html"
+        ],
+        "synonyms": [
+          "Earth Kasha"
         ]
       },
       "uuid": "e992d874-604b-4a09-9c6c-0319d5be652a",
@@ -16108,7 +16120,13 @@
       "meta": {
         "country": "RU",
         "refs": [
-          "https://blog.cloudflare.com/disrupting-flyingyeti-campaign-targeting-ukraine"
+          "https://blog.cloudflare.com/disrupting-flyingyeti-campaign-targeting-ukraine",
+          "https://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/",
+          "https://www.cloudflare.com/threat-intelligence/research/report/disrupting-flyingyetis-campaign-targeting-ukrainev/"
+        ],
+        "synonyms": [
+          "Storm-1837",
+          "Flying Yeti"
         ]
       },
       "uuid": "1dcbad05-c5b7-4ec3-8920-45f396554f7a",
@@ -17467,6 +17485,133 @@
       },
       "uuid": "192be820-af1a-4967-b38c-73326fa9ca9f",
       "value": "Gorilla"
+    },
+    {
+      "description": "TAG-100 is a cyber-espionage APT that targets government and private sector organizations globally, exploiting vulnerabilities in internet-facing devices such as Citrix NetScaler and F5 BIG-IP for initial access. The group employs open-source tools like Pantegana and SparkRAT for persistence and post-exploitation activities, including credential theft and email data exfiltration. TAG-100 has compromised entities in at least ten countries, including two Asia-Pacific intergovernmental organizations, and focuses on sectors like education, finance, and local government. Their operations highlight the challenges of attribution due to the use of off-the-shelf tools and techniques that overlap with other state-sponsored groups.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://www.microsoft.com/en-us/security/blog/2024/11/22/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon/",
+          "https://www.recordedfuture.com/research/tag-100-uses-open-source-tools-in-suspected-global-espionage-campaign"
+        ],
+        "synonyms": [
+          "TAG-100"
+        ]
+      },
+      "uuid": "e6afdfb4-a5ac-4be1-9cd0-c1801a7f7083",
+      "value": "Storm-2077"
+    },
+    {
+      "description": "INDOHAXSEC TEAM is an Indonesian group that claims to have developed a web-based version of WannaCry, asserting the ability to encrypt websites and demand Bitcoin as ransom. However, their technical capabilities remain uncertain, as creating ransomware of this scale requires significant expertise. The group's claims may be exaggerated for attention, and verified evidence is needed to assess their true capabilities.",
+      "meta": {
+        "country": "ID",
+        "refs": [
+          "https://socradar.io/dark-peep-17-dark-web-hacker-forums-ransomware/"
+        ]
+      },
+      "uuid": "c4ff73cd-858a-4e84-b2cd-929532f8c320",
+      "value": "INDOHAXSEC TEAM"
+    },
+    {
+      "description": "Massgrave is a hacking group that has developed a method to bypass Microsoft's software licensing for Windows and Office, enabling permanent activation of versions from Windows Vista to Windows 11. They are known for creating effective scripts for software activation, which are distributed through an unofficial repository at massgrave.dev. The group claims their exploit supports volume activation via the Key Management Services model and has gained traction within the piracy scene. Reports indicate that their tools may be used by unauthorized individuals, including Microsoft support agents, raising legal and security concerns.",
+      "meta": {
+        "refs": [
+          "https://www.techspot.com/news/105785-mas-developers-achieve-major-breakthrough-windows-office-cracking.html"
+        ]
+      },
+      "uuid": "48e2e297-55bd-4a6f-9c72-bc10ed06afa1",
+      "value": "Massgrave"
+    },
+    {
+      "description": "Funksec is a newly identified extortion group that has claimed 11 victims across various sectors, including media, IT, and education, operating a Tor-based DLS to centralize its ransomware activities. The group advertises a free DDoS tool and may develop its own ransomware binary, indicating significant technical capability. The DLS was likely created in late November to early December 2024, with the first advertisement titled “Funksec Ransomware” posted on 3 December 2024. Currently, there is limited publicly available information on Funksec's TTPs, and it is not known to be associated with any other threat groups.",
+      "meta": {
+        "refs": [
+          "https://www.cyjax.com/resources/blog/take-me-down-to-funksec-town-funksec-ransomware-dls-emergence/"
+        ]
+      },
+      "uuid": "052519d2-1a4f-49d1-abe6-baffce51fedb",
+      "value": "FunkSec"
+    },
+    {
+      "description": "Storm-0940 is a Chinese threat actor active since at least 2021, known for gaining initial access through password spray and brute-force attacks, as well as exploiting network edge applications. Microsoft has observed Storm-0940 utilizing valid credentials obtained from CovertNetwork-1658's password spray operations, indicating a close operational relationship between the two. Once inside a victim environment, Storm-0940 has been seen leveraging compromised credentials for further malicious activities. Additionally, Storm-0940 has employed botnets, such as Quad7, to facilitate password spraying attacks.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://www.microsoft.com/en-us/security/blog/2024/10/31/chinese-threat-actor-storm-0940-uses-credentials-from-password-spray-attacks-from-a-covert-network/"
+        ]
+      },
+      "uuid": "301ffea9-edd5-4d89-a65f-8add8e34e95d",
+      "value": "Storm-0940"
+    },
+    {
+      "description": "Anonymous KSA is a Saudi hacking group that has executed cyber attacks targeting Indian institutions, including a significant breach of UIDAI's data storage units, leading to access to sensitive information and system disruption. The group claims these actions are in response to India's normalization of ties with Israel and its treatment of Palestinians. They have called for support for the Palestinian cause and accountability for the damage caused by their operations. The group's TTPs include targeting government agencies and leveraging public sentiment to justify their actions.",
+      "meta": {
+        "refs": [
+          "https://x.com/DailyDarkWeb/status/1807783849608286296",
+          "https://cybershafarat.com/2024/07/22/hacking-group-anonymous-ksa-a-notorious-threat-actor-is-targeting-india-in-a-series-of-cyber-attacks/"
+        ]
+      },
+      "uuid": "b869c1dc-0cf8-4d8a-b5f3-5b90c557db1c",
+      "value": "Anonymous KSA"
+    },
+    {
+      "description": "Aggressive Inventory Zombies is a threat actor involved in a large-scale phishing and pig-butchering network targeting retail brands and cryptocurrency users. They create fraudulent sites using a popular website template that scrapes product details from legitimate e-commerce platforms and integrate chat services for phishing. Financial ties to India have been identified, and collaboration with Stark Industries has led to the dismantling of parts of their infrastructure, revealing the network's breadth. AIZ is also linked to Entropy ransomware infections, which were preceded by detections of Cobalt Strike beacons and Dridex malware.",
+      "meta": {
+        "refs": [
+          "https://www.silentpush.com/blog/aiz-retail-crypto-phishing/"
+        ],
+        "synonyms": [
+          "AIZ"
+        ]
+      },
+      "uuid": "ceabe862-3d89-4696-9d7f-32a4850334d9",
+      "value": "Aggressive Inventory Zombies"
+    },
+    {
+      "description": "UNC2465 is a threat actor known for deploying the SMOKEDHAM .NET backdoor and DARKSIDE ransomware, utilizing TTPs such as phishing, Trojanized software installers, and supply chain attacks. They have employed the NGROK utility to expose internal services and facilitate lateral movement within victim environments. UNC2465 has also leveraged tools like UltraVNC, Cobalt Strike BEACON, and conducted credential harvesting via LSASS memory dumping. Their operations have included extortion tactics through a leaks website over TOR, applying pressure on victims by releasing stolen data.",
+      "meta": {
+        "refs": [
+          "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations",
+          "https://cloud.google.com/blog/topics/threat-intelligence/darkside-affiliate-supply-chain-software-compromise",
+          "https://cloud.google.com/blog/topics/threat-intelligence/burrowing-your-way-into-vpns"
+        ]
+      },
+      "uuid": "cbdf8d63-c114-47d5-8f32-f87f365c7c43",
+      "value": "UNC2465"
+    },
+    {
+      "description": "LIMINAL PANDA is a China-nexus APT that targets telecommunications entities, employing custom malware and publicly available tools for covert access, C2, and data exfiltration. The adversary demonstrates extensive knowledge of telecom networks, utilizing GSM protocols to retrieve mobile subscriber information and call metadata. LIMINAL PANDA exploits trust relationships and security gaps between providers to access core infrastructure, indicating a focus on SIGINT collection rather than financial gain. Their intrusion activity has primarily affected telecom providers in southern Asia and Africa, with potential for broader targeting based on network configurations.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://www.crowdstrike.com/en-us/blog/liminal-panda-telecom-sector-threats/"
+        ]
+      },
+      "uuid": "e7a64fd7-5d30-47ec-b9f6-8c555e5f319f",
+      "value": "Liminal Panda"
+    },
+    {
+      "description": "ALTOUFAN TEAM is a politically motivated hacktivist group with anti-Zionism, anti-monarchy, and pro-14-February movement sentiments. They have targeted government agencies and organizations in Bahrain and Israel, claiming to support political causes in the region. The group has employed techniques such as credential theft to compromise systems, as demonstrated by their attack on Bahrain's Social Insurance Organization. ALTOUFAN maintains a presence on social media platforms to disseminate their messages and showcase their activities.",
+      "meta": {
+        "refs": [
+          "https://blog.cyble.com/2023/02/16/altoufan-team-targets-the-middle-east/"
+        ]
+      },
+      "uuid": "42d50dda-75e1-4364-8c83-37e2765bb3db",
+      "value": "Altoufan Team"
+    },
+    {
+      "description": "UAC-0185 has been active since at least 2022, primarily targeting Ukrainian defense organizations through credential theft via messaging apps like Signal, Telegram, and WhatsApp, as well as military systems such as DELTA, TENETA, and Kropyva. The group employs phishing attacks, often impersonating the Ukrainian Union of Industrialists and Entrepreneurs (UUIE), to gain unauthorized access to the PCs of defense sector employees. They utilize custom tools, including MESHAGENT and UltraVNC, to facilitate their operations. Their activities are mapped to MITRE ATT&CK, focusing on tactics related to credential theft and remote access.",
+      "meta": {
+        "refs": [
+          "https://socprime.com/blog/uac-0185-aka-unc4221-attack-detection/"
+        ],
+        "synonyms": [
+          "UNC4221"
+        ]
+      },
+      "uuid": "d44be76b-07ad-47b3-a296-3899f27f0702",
+      "value": "UAC-0185"
     }
   ],
   "version": 321