From 1589a943a9e596bb2e466d3c89d7e843b1ac7b2b Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:05 -0800 Subject: [PATCH] [threat-actors] Add Storm-1674 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 95b69bf..b8eae0d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14696,6 +14696,17 @@ }, "uuid": "3e595289-05b8-43fc-bd88-f8650436447f", "value": "Storm-0829" + }, + { + "description": "Storm-1674 is an access broker known for using tools based on the publicly available TeamsPhisher tool to distribute DarkGate malware. Storm-1674 campaigns have typically relied on phishing lures sent over Teams with malicious attachments, such as ZIP files containing a LNK file that ultimately drops DarkGate and Pikabot. In September 2023, Microsoft observed handoffs from Storm-1674 to ransomware operators that have led to Black Basta ransomware deployment.", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/", + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-widely-abused-msix-app-installer-disabled-by-microsoft-active-iocs/" + ] + }, + "uuid": "eb7b5ed7-cf9d-4c72-8f89-a2ee070b89b6", + "value": "Storm-1674" } ], "version": 298