Merge pull request #1073 from Mathieu4141/threat-actors/d64c336f-0e5b-4d08-ad24-806f83d829d0

[threat actors] Add 5 actors, and 5 aliases

README.md

@@ -607,7 +607,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements
 
 [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
 
-Category: *actor* - source: *MISP Project* - total: *843* elements
+Category: *actor* - source: *MISP Project* - total: *848* elements
 
 [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]
 

clusters/threat-actor.json

@@ -6180,7 +6180,8 @@
           "Desert Falcon",
           "Arid Viper",
           "APT-C-23",
-          "Bearded Barbie"
+          "Bearded Barbie",
+          "Two-tailed Scorpion"
         ]
       },
       "uuid": "0cfff0f4-868c-40a1-b9b4-0d153c0b33b6",
@@ -6451,8 +6452,7 @@
           "https://securelist.com/operation-daybreak/75100/",
           "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/",
           "https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/",
-          "https://unit42.paloaltonetworks.com/atoms/moldypisces/",
-          "https://asec.ahnlab.com/en/83877/"
+          "https://unit42.paloaltonetworks.com/atoms/moldypisces/"
         ],
         "synonyms": [
           "APT 37",
@@ -6470,7 +6470,7 @@
           "ATK4",
           "G0067",
           "Moldy Pisces",
-          "TA-RedAnt"
+          "APT-C-28"
         ]
       },
       "related": [
@@ -6622,7 +6622,8 @@
           "https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/",
           "https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/",
           "https://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/",
-          "https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us"
+          "https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us",
+          "https://unit42.paloaltonetworks.com/iranian-attackers-impersonate-model-agency/"
         ],
         "synonyms": [
           "Newscaster Team",
@@ -6631,7 +6632,8 @@
           "Phosphorus",
           "Mint Sandstorm",
           "TunnelVision",
-          "COBALT MIRAGE"
+          "COBALT MIRAGE",
+          "Agent Serpens"
         ]
       },
       "related": [
@@ -7780,7 +7782,8 @@
           "https://attack.mitre.org/groups/G0087/",
           "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
           "https://www.secureworks.com/research/threat-profiles/cobalt-hickman",
-          "https://unit42.paloaltonetworks.com/atoms/radioserpens/"
+          "https://unit42.paloaltonetworks.com/atoms/radioserpens/",
+          "https://securityintelligence.com/posts/observations-of-itg07-cyber-operations/"
         ],
         "synonyms": [
           "Chafer",
@@ -7788,7 +7791,8 @@
           "COBALT HICKMAN",
           "G0087",
           "Radio Serpens",
-          "TA454"
+          "TA454",
+          "ITG07"
         ]
       },
       "uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b",
@@ -15001,14 +15005,17 @@
           "https://socprime.com/blog/agonizing-serpens-attack-detection-iran-backed-hackers-target-israeli-tech-firms-and-educational-institutions/",
           "https://therecord.media/iran-linked-hackers-target-israel-education-tech-sectors",
           "https://www.enigmasoftware.com/moneybirdransomware-removal/",
-          "https://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/"
+          "https://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/",
+          "https://services.google.com/fh/files/misc/m-trends-2025-en.pdf"
         ],
         "synonyms": [
           "AMERICIUM",
           "BlackShadow",
           "DEV-0022",
           "Agrius",
-          "Agonizing Serpens"
+          "Agonizing Serpens",
+          "UNC2428",
+          "Black Shadow"
         ]
       },
       "uuid": "0876c327-c82a-45f7-82fa-267c312ceb05",
@@ -18270,6 +18277,63 @@
       },
       "uuid": "e02cea12-e033-49ab-843d-d67b45bfd794",
       "value": "Storm-1977"
+    },
+    {
+      "description": "TAG-124 is a threat actor that employs a traffic distribution system to distribute malware, primarily using MintsLoader and targeting various sectors through phishing emails and compromised websites. The actor injects malicious JavaScript into WordPress sites, leading victims to fake Google Chrome update landing pages that facilitate malware downloads, often masquerading as legitimate updates. TAG-124 has been linked to multiple ransomware groups, including Rhysida and Interlock, and demonstrates high activity levels by regularly updating its infrastructure and refining its infection tactics, such as the ClickFix technique. Notable compromised sites include those associated with the Polish Centre for Testing and Certification and the Economic Community of West African States (ECOWAS).",
+      "meta": {
+        "refs": [
+          "https://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting",
+          "https://www.recordedfuture.com/research/tag-124-multi-layered-tds-infrastructure-extensive-user-base"
+        ],
+        "synonyms": [
+          "LandUpdate808"
+        ]
+      },
+      "uuid": "8a1b831c-e07e-43ad-933a-7fe7a9a1e449",
+      "value": "TAG-124"
+    },
+    {
+      "description": "Chaya_004 is a Chinese threat actor identified through malicious infrastructure, including a network of servers hosting Supershell backdoors and various pen testing tools of Chinese origin. The actor's activities are linked to the exploitation of a specific vulnerability, with a focus on using Chinese cloud providers. Analysis of the infrastructure has revealed TTPs associated with Chaya_004, indicating a sophisticated approach to cyber operations. Mitigation recommendations and proactive response measures have been developed in light of these findings.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://www.forescout.com/blog/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor/"
+        ]
+      },
+      "uuid": "bf0df867-e482-48c3-ab32-93c8bca40ba9",
+      "value": "Chaya_004"
+    },
+    {
+      "description": "ELUSIVE COMET is a threat actor responsible for significant cryptocurrency theft through sophisticated social engineering attacks, particularly leveraging Zoom's remote control feature. Their attack methodology involves manipulating legitimate workflows and exploiting human-centric vulnerabilities rather than technical flaws. The actor employs tactics such as social proof, time pressure, and interface manipulation to deceive targets. Organizations can mitigate risks by implementing technical controls to disable the remote control feature and deploying email boundary protections like DMARC, SPF, and DKIM.",
+      "meta": {
+        "country": "KP",
+        "refs": [
+          "https://blog.trailofbits.com/2025/04/17/mitigating-elusive-comet-zoom-remote-control-attacks/"
+        ]
+      },
+      "uuid": "49751cf1-f3b9-4d5b-99d1-7378d1bc2298",
+      "value": "ELUSIVE COMET"
+    },
+    {
+      "description": "Molatori is a threat actor group identified by Malwarebytes researchers, known for utilizing malicious ScreenConnect clients hosted on domains like atmolatori.icu and gomolatori.cyou. They employ phishing tactics, masquerading as communications from the Social Security Administration to lure targets into installing the client. Once installed, the ScreenConnect client allows the actors to remotely access the victim's computer, facilitating the exfiltration of sensitive information such as banking details and personal identification numbers. The primary objective of the Molatori group is financial fraud, leveraging the stolen data for identity theft and other malicious activities.",
+      "meta": {
+        "refs": [
+          "https://www.malwarebytes.com/blog/news/2025/04/fake-social-security-statement-emails-trick-users-into-installing-remote-tool"
+        ]
+      },
+      "uuid": "ed1fff3e-9d1d-4a3e-b04f-a2d1005c60f7",
+      "value": "Molatori"
+    },
+    {
+      "description": "Malsmoke primarily targets Japanese users through malvertising campaigns that deliver Zloader malware, often leveraging adult content lures and geographic IP information. The group has transitioned from exploit kits, such as Fallout, to social engineering tactics, including fake Java updates, while maintaining a focus on high-traffic adult websites. Their operations are characterized by the use of DGA for C2 server domains and the distribution of payloads via a custom loader, previously relying on Smoke Loader. Connections to past campaigns are evident through similarities in malware masquerading as Java plugins and shared registrar information among domains.",
+      "meta": {
+        "refs": [
+          "https://blog.malwarebytes.com/threat-analysis/2020/11/malsmoke-operators-abandon-exploit-kits-in-favor-of-social-engineering-scheme/",
+          "https://www.malwarebytes.com/blog/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing"
+        ]
+      },
+      "uuid": "e2dd2808-5a3c-4437-a626-0b550433e7e5",
+      "value": "Malsmoke"
     }
   ],
   "version": 322