diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index c0800441..089fe7f6 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -15208,14 +15208,21 @@
       "value": "Karkadann"
     },
     {
-      "description": "Tomiris is a threat actor that has been active since at least 2019. They primarily target government and diplomatic entities in the Commonwealth of Independent States region, with occasional victims in other regions being foreign representations of CIS countries. Tomiris uses a wide variety of malware implants, including downloaders, backdoors, and file stealers, developed in different programming languages. They employ various attack vectors such as spear-phishing, DNS hijacking, and exploitation of vulnerabilities. There are potential ties between Tomiris and Turla, but they are considered separate threat actors with distinct targeting and tradecraft by Kaspersky.",
+      "description": "Storm-0473 (Tomiris) is a threat actor that has been active since at least 2019. They primarily target government and diplomatic entities in the Commonwealth of Independent States region, with occasional victims in other regions being foreign representations of CIS countries. Tomiris uses a wide variety of malware implants, including downloaders, backdoors, and file stealers, developed in different programming languages. They employ various attack vectors such as spear-phishing, DNS hijacking, and exploitation of vulnerabilities. There are potential ties between Tomiris and Turla, but they are considered separate threat actors with distinct targeting and tradecraft by Kaspersky.",
       "meta": {
+        "country": "KZ",
         "refs": [
-          "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/"
+          "https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/",
+          "https://securelist.com/apt-trends-report-q1-2022/106351/",
+          "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/",
+          "https://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage/"
+        ],
+        "synonyms": [
+          "UNC2849"
         ]
       },
       "uuid": "2f854548-1af0-4f55-acab-4f85ce9f162c",
-      "value": "Tomiris"
+      "value": "Storm-0473"
     },
     {
       "description": "ShaggyPanther is a threat actor that primarily targets government entities in Taiwan and Malaysia. They have been active since 2008 and utilize hidden encrypted payloads in registry keys. Their activities have been detected in various locations, including Indonesia and Syria.",