From 48077bd08a2861228e3c27d18e476144485342b1 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 20 Dec 2024 02:55:33 -0800 Subject: [PATCH 01/17] [threat-actors] Add Storm-2077 --- clusters/threat-actor.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index e8315496..2d88401c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17467,6 +17467,21 @@ }, "uuid": "192be820-af1a-4967-b38c-73326fa9ca9f", "value": "Gorilla" + }, + { + "description": "TAG-100 is a cyber-espionage APT that targets government and private sector organizations globally, exploiting vulnerabilities in internet-facing devices such as Citrix NetScaler and F5 BIG-IP for initial access. The group employs open-source tools like Pantegana and SparkRAT for persistence and post-exploitation activities, including credential theft and email data exfiltration. TAG-100 has compromised entities in at least ten countries, including two Asia-Pacific intergovernmental organizations, and focuses on sectors like education, finance, and local government. Their operations highlight the challenges of attribution due to the use of off-the-shelf tools and techniques that overlap with other state-sponsored groups.", + "meta": { + "country": "CN", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2024/11/22/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon/", + "https://www.recordedfuture.com/research/tag-100-uses-open-source-tools-in-suspected-global-espionage-campaign" + ], + "synonyms": [ + "TAG-100" + ] + }, + "uuid": "e6afdfb4-a5ac-4be1-9cd0-c1801a7f7083", + "value": "Storm-2077" } ], "version": 321 From 2cb75a870bc346dc3b276848ef1c3ef7bb7fd887 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 20 Dec 2024 02:55:33 -0800 Subject: [PATCH 02/17] [threat-actors] Add HAZY TIGER aliases --- clusters/threat-actor.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2d88401c..c13287a4 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10413,13 +10413,15 @@ "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf", "https://mp.weixin.qq.com/s/8j_rHA7gdMxY1_X8alj8Zg", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf", - "https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html" + "https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html", + "https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats" ], "synonyms": [ "Bitter", "T-APT-17", "APT-C-08", - "Orange Yali" + "Orange Yali", + "TA397" ] }, "uuid": "1e9bd6fe-e009-41ce-8e92-ad78c73ee772", From f0de8603ca82fa26b9a797f5f3f070d1ecdebc1f Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 20 Dec 2024 02:55:33 -0800 Subject: [PATCH 03/17] [threat-actors] Add INDOHAXSEC TEAM --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c13287a4..c01742bb 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17484,6 +17484,17 @@ }, "uuid": "e6afdfb4-a5ac-4be1-9cd0-c1801a7f7083", "value": "Storm-2077" + }, + { + "description": "INDOHAXSEC TEAM is an Indonesian group that claims to have developed a web-based version of WannaCry, asserting the ability to encrypt websites and demand Bitcoin as ransom. However, their technical capabilities remain uncertain, as creating ransomware of this scale requires significant expertise. The group's claims may be exaggerated for attention, and verified evidence is needed to assess their true capabilities.", + "meta": { + "country": "ID", + "refs": [ + "https://socradar.io/dark-peep-17-dark-web-hacker-forums-ransomware/" + ] + }, + "uuid": "c4ff73cd-858a-4e84-b2cd-929532f8c320", + "value": "INDOHAXSEC TEAM" } ], "version": 321 From 9356e43313c9c08ab6c4b2c64a817549cc281586 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 20 Dec 2024 02:55:33 -0800 Subject: [PATCH 04/17] [threat-actors] Add FlyingYeti aliases --- clusters/threat-actor.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c01742bb..59c0498d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16110,7 +16110,13 @@ "meta": { "country": "RU", "refs": [ - "https://blog.cloudflare.com/disrupting-flyingyeti-campaign-targeting-ukraine" + "https://blog.cloudflare.com/disrupting-flyingyeti-campaign-targeting-ukraine", + "https://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/", + "https://www.cloudflare.com/threat-intelligence/research/report/disrupting-flyingyetis-campaign-targeting-ukrainev/" + ], + "synonyms": [ + "Storm-1837", + "Flying Yeti" ] }, "uuid": "1dcbad05-c5b7-4ec3-8920-45f396554f7a", From 0ddf797234f600909b09815aff93d3bcec66176d Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 20 Dec 2024 02:55:33 -0800 Subject: [PATCH 05/17] [threat-actors] Add Operation C-Major aliases --- clusters/threat-actor.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 59c0498d..6aab9606 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3517,7 +3517,9 @@ "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html", "https://www.secureworks.com/research/threat-profiles/copper-fieldstone", "https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html", - "https://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/" + "https://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/", + "https://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage/", + "https://www.reco.ai/blog/how-apt36-elizarat-redefines-cyber-espionage" ], "synonyms": [ "C-Major", @@ -3529,7 +3531,8 @@ "TMP.Lapis", "Green Havildar", "COPPER FIELDSTONE", - "Earth Karkaddan" + "Earth Karkaddan", + "Storm-0156" ], "targeted-sector": [ "Activists", From 2a15c0d73ba6b92816a5116a70447422da87e0ab Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 20 Dec 2024 02:55:34 -0800 Subject: [PATCH 06/17] [threat-actors] Add Massgrave --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 6aab9606..f43813c1 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17504,6 +17504,16 @@ }, "uuid": "c4ff73cd-858a-4e84-b2cd-929532f8c320", "value": "INDOHAXSEC TEAM" + }, + { + "description": "Massgrave is a hacking group that has developed a method to bypass Microsoft's software licensing for Windows and Office, enabling permanent activation of versions from Windows Vista to Windows 11. They are known for creating effective scripts for software activation, which are distributed through an unofficial repository at massgrave.dev. The group claims their exploit supports volume activation via the Key Management Services model and has gained traction within the piracy scene. Reports indicate that their tools may be used by unauthorized individuals, including Microsoft support agents, raising legal and security concerns.", + "meta": { + "refs": [ + "https://www.techspot.com/news/105785-mas-developers-achieve-major-breakthrough-windows-office-cracking.html" + ] + }, + "uuid": "48e2e297-55bd-4a6f-9c72-bc10ed06afa1", + "value": "Massgrave" } ], "version": 321 From a20a8efd28ccbf92ffedd40fb1a06aa86cf6f90b Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 20 Dec 2024 02:55:34 -0800 Subject: [PATCH 07/17] [threat-actors] Add FunkSec --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index f43813c1..8942b0a1 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17514,6 +17514,16 @@ }, "uuid": "48e2e297-55bd-4a6f-9c72-bc10ed06afa1", "value": "Massgrave" + }, + { + "description": "Funksec is a newly identified extortion group that has claimed 11 victims across various sectors, including media, IT, and education, operating a Tor-based DLS to centralize its ransomware activities. The group advertises a free DDoS tool and may develop its own ransomware binary, indicating significant technical capability. The DLS was likely created in late November to early December 2024, with the first advertisement titled “Funksec Ransomware” posted on 3 December 2024. Currently, there is limited publicly available information on Funksec's TTPs, and it is not known to be associated with any other threat groups.", + "meta": { + "refs": [ + "https://www.cyjax.com/resources/blog/take-me-down-to-funksec-town-funksec-ransomware-dls-emergence/" + ] + }, + "uuid": "052519d2-1a4f-49d1-abe6-baffce51fedb", + "value": "FunkSec" } ], "version": 321 From fc27aa88a3bcca0427baab3d536848c9f3df76b0 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 20 Dec 2024 02:55:34 -0800 Subject: [PATCH 08/17] [threat-actors] Add APT28 aliases --- clusters/threat-actor.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8942b0a1..4406ed10 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2401,7 +2401,8 @@ "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag", "https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/", "https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html", - "https://bluepurple.binaryfirefly.com/p/bluepurple-pulse-week-ending-june-64e" + "https://bluepurple.binaryfirefly.com/p/bluepurple-pulse-week-ending-june-64e", + "https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/" ], "synonyms": [ "Pawn Storm", @@ -2429,7 +2430,8 @@ "Sofacy", "Forest Blizzard", "BlueDelta", - "Fancy Bear" + "Fancy Bear", + "GruesomeLarch" ], "targeted-sector": [ "Military", From cd32c36785d3cf46355876c72141e24f826f3801 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 20 Dec 2024 02:55:34 -0800 Subject: [PATCH 09/17] [threat-actors] Add Storm-0940 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4406ed10..2cbb3f8d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17526,6 +17526,17 @@ }, "uuid": "052519d2-1a4f-49d1-abe6-baffce51fedb", "value": "FunkSec" + }, + { + "description": "Storm-0940 is a Chinese threat actor active since at least 2021, known for gaining initial access through password spray and brute-force attacks, as well as exploiting network edge applications. Microsoft has observed Storm-0940 utilizing valid credentials obtained from CovertNetwork-1658's password spray operations, indicating a close operational relationship between the two. Once inside a victim environment, Storm-0940 has been seen leveraging compromised credentials for further malicious activities. Additionally, Storm-0940 has employed botnets, such as Quad7, to facilitate password spraying attacks.", + "meta": { + "country": "CN", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2024/10/31/chinese-threat-actor-storm-0940-uses-credentials-from-password-spray-attacks-from-a-covert-network/" + ] + }, + "uuid": "301ffea9-edd5-4d89-a65f-8add8e34e95d", + "value": "Storm-0940" } ], "version": 321 From 753cca049b13f3d31c0ce79c2576ef9421bf6b68 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 20 Dec 2024 02:55:34 -0800 Subject: [PATCH 10/17] [threat-actors] Add Anonymous KSA --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2cbb3f8d..1d45d5f9 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17537,6 +17537,17 @@ }, "uuid": "301ffea9-edd5-4d89-a65f-8add8e34e95d", "value": "Storm-0940" + }, + { + "description": "Anonymous KSA is a Saudi hacking group that has executed cyber attacks targeting Indian institutions, including a significant breach of UIDAI's data storage units, leading to access to sensitive information and system disruption. The group claims these actions are in response to India's normalization of ties with Israel and its treatment of Palestinians. They have called for support for the Palestinian cause and accountability for the damage caused by their operations. The group's TTPs include targeting government agencies and leveraging public sentiment to justify their actions.", + "meta": { + "refs": [ + "https://x.com/DailyDarkWeb/status/1807783849608286296", + "https://cybershafarat.com/2024/07/22/hacking-group-anonymous-ksa-a-notorious-threat-actor-is-targeting-india-in-a-series-of-cyber-attacks/" + ] + }, + "uuid": "b869c1dc-0cf8-4d8a-b5f3-5b90c557db1c", + "value": "Anonymous KSA" } ], "version": 321 From 7a12bc29c80abec6895739b27b57484d121ed971 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 20 Dec 2024 02:55:34 -0800 Subject: [PATCH 11/17] [threat-actors] Add Aggressive Inventory Zombies --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1d45d5f9..cb58587f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17548,6 +17548,19 @@ }, "uuid": "b869c1dc-0cf8-4d8a-b5f3-5b90c557db1c", "value": "Anonymous KSA" + }, + { + "description": "Aggressive Inventory Zombies is a threat actor involved in a large-scale phishing and pig-butchering network targeting retail brands and cryptocurrency users. They create fraudulent sites using a popular website template that scrapes product details from legitimate e-commerce platforms and integrate chat services for phishing. Financial ties to India have been identified, and collaboration with Stark Industries has led to the dismantling of parts of their infrastructure, revealing the network's breadth. AIZ is also linked to Entropy ransomware infections, which were preceded by detections of Cobalt Strike beacons and Dridex malware.", + "meta": { + "refs": [ + "https://www.silentpush.com/blog/aiz-retail-crypto-phishing/" + ], + "synonyms": [ + "AIZ" + ] + }, + "uuid": "ceabe862-3d89-4696-9d7f-32a4850334d9", + "value": "Aggressive Inventory Zombies" } ], "version": 321 From 0863ea479409f478b9b4edfa8214d95a342fb468 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 20 Dec 2024 02:55:34 -0800 Subject: [PATCH 12/17] [threat-actors] Add UNC2465 --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index cb58587f..0dc7848e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17561,6 +17561,18 @@ }, "uuid": "ceabe862-3d89-4696-9d7f-32a4850334d9", "value": "Aggressive Inventory Zombies" + }, + { + "description": "UNC2465 is a threat actor known for deploying the SMOKEDHAM .NET backdoor and DARKSIDE ransomware, utilizing TTPs such as phishing, Trojanized software installers, and supply chain attacks. They have employed the NGROK utility to expose internal services and facilitate lateral movement within victim environments. UNC2465 has also leveraged tools like UltraVNC, Cobalt Strike BEACON, and conducted credential harvesting via LSASS memory dumping. Their operations have included extortion tactics through a leaks website over TOR, applying pressure on victims by releasing stolen data.", + "meta": { + "refs": [ + "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations", + "https://cloud.google.com/blog/topics/threat-intelligence/darkside-affiliate-supply-chain-software-compromise", + "https://cloud.google.com/blog/topics/threat-intelligence/burrowing-your-way-into-vpns" + ] + }, + "uuid": "cbdf8d63-c114-47d5-8f32-f87f365c7c43", + "value": "UNC2465" } ], "version": 321 From b287cdc866df321457580f1acb1174f0a80e5314 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 20 Dec 2024 02:55:34 -0800 Subject: [PATCH 13/17] [threat-actors] Add Liminal Panda --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0dc7848e..60a03b0e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17573,6 +17573,17 @@ }, "uuid": "cbdf8d63-c114-47d5-8f32-f87f365c7c43", "value": "UNC2465" + }, + { + "description": "LIMINAL PANDA is a China-nexus APT that targets telecommunications entities, employing custom malware and publicly available tools for covert access, C2, and data exfiltration. The adversary demonstrates extensive knowledge of telecom networks, utilizing GSM protocols to retrieve mobile subscriber information and call metadata. LIMINAL PANDA exploits trust relationships and security gaps between providers to access core infrastructure, indicating a focus on SIGINT collection rather than financial gain. Their intrusion activity has primarily affected telecom providers in southern Asia and Africa, with potential for broader targeting based on network configurations.", + "meta": { + "country": "CN", + "refs": [ + "https://www.crowdstrike.com/en-us/blog/liminal-panda-telecom-sector-threats/" + ] + }, + "uuid": "e7a64fd7-5d30-47ec-b9f6-8c555e5f319f", + "value": "Liminal Panda" } ], "version": 321 From 7756609925a4f3502edbf2162ce7298d2210730e Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 20 Dec 2024 02:55:34 -0800 Subject: [PATCH 14/17] [threat-actors] Add Altoufan Team --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 60a03b0e..3f7a48f8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17584,6 +17584,16 @@ }, "uuid": "e7a64fd7-5d30-47ec-b9f6-8c555e5f319f", "value": "Liminal Panda" + }, + { + "description": "ALTOUFAN TEAM is a politically motivated hacktivist group with anti-Zionism, anti-monarchy, and pro-14-February movement sentiments. They have targeted government agencies and organizations in Bahrain and Israel, claiming to support political causes in the region. The group has employed techniques such as credential theft to compromise systems, as demonstrated by their attack on Bahrain's Social Insurance Organization. ALTOUFAN maintains a presence on social media platforms to disseminate their messages and showcase their activities.", + "meta": { + "refs": [ + "https://blog.cyble.com/2023/02/16/altoufan-team-targets-the-middle-east/" + ] + }, + "uuid": "42d50dda-75e1-4364-8c83-37e2765bb3db", + "value": "Altoufan Team" } ], "version": 321 From dacab6d6300b2e8e41d1b84bf5ec709d10076cd3 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 20 Dec 2024 02:55:35 -0800 Subject: [PATCH 15/17] [threat-actors] Add UAC-0185 --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 3f7a48f8..338ce26f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17594,6 +17594,19 @@ }, "uuid": "42d50dda-75e1-4364-8c83-37e2765bb3db", "value": "Altoufan Team" + }, + { + "description": "UAC-0185 has been active since at least 2022, primarily targeting Ukrainian defense organizations through credential theft via messaging apps like Signal, Telegram, and WhatsApp, as well as military systems such as DELTA, TENETA, and Kropyva. The group employs phishing attacks, often impersonating the Ukrainian Union of Industrialists and Entrepreneurs (UUIE), to gain unauthorized access to the PCs of defense sector employees. They utilize custom tools, including MESHAGENT and UltraVNC, to facilitate their operations. Their activities are mapped to MITRE ATT&CK, focusing on tactics related to credential theft and remote access.", + "meta": { + "refs": [ + "https://socprime.com/blog/uac-0185-aka-unc4221-attack-detection/" + ], + "synonyms": [ + "UNC4221" + ] + }, + "uuid": "d44be76b-07ad-47b3-a296-3899f27f0702", + "value": "UAC-0185" } ], "version": 321 From cb5f240430ee76749ae9c86f3ce9285ae3e4f32e Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 20 Dec 2024 02:55:35 -0800 Subject: [PATCH 16/17] [threat-actors] Add MirrorFace aliases --- clusters/threat-actor.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 338ce26f..eaba9729 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13655,7 +13655,12 @@ "refs": [ "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", "https://web-assets.esetstatic.com/wls/2023/01/eset_apt_activity_report_t32022.pdf", - "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/" + "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/", + "https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html", + "https://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html" + ], + "synonyms": [ + "Earth Kasha" ] }, "uuid": "e992d874-604b-4a09-9c6c-0319d5be652a", From 022cdcd2d7d55893fae81322d4b0ac27b6a53f0f Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 20 Dec 2024 02:55:36 -0800 Subject: [PATCH 17/17] [threat actors] Update README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2b29477d..8cf14873 100644 --- a/README.md +++ b/README.md @@ -599,7 +599,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *781* elements +Category: *actor* - source: *MISP Project* - total: *792* elements [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]