mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-22 23:07:19 +00:00
Merge branch 'MISP:main' into main
This commit is contained in:
commit
165ce70a28
4 changed files with 199 additions and 51 deletions
|
@ -315,6 +315,27 @@
|
||||||
"estimative-language:likelihood-probability=\"likely\""
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
],
|
],
|
||||||
"type": "uses"
|
"type": "uses"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"dest-uuid": "0125ef58-2675-426f-90eb-0b189961199a",
|
||||||
|
"tags": [
|
||||||
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
|
],
|
||||||
|
"type": "uses"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"dest-uuid": "f169f0b3-fe4d-40e5-a443-2561c98eb67e",
|
||||||
|
"tags": [
|
||||||
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
|
],
|
||||||
|
"type": "uses"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"dest-uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b",
|
||||||
|
"tags": [
|
||||||
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
|
],
|
||||||
|
"type": "uses"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"uuid": "d7247cf9-13b6-4781-b789-a5f33521633b",
|
"uuid": "d7247cf9-13b6-4781-b789-a5f33521633b",
|
||||||
|
@ -322,10 +343,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "CN",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "China",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"APT41",
|
"APT41",
|
||||||
"BARIUM"
|
"BARIUM"
|
||||||
|
@ -336,10 +357,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "CN",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "China",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"CHROMIUM",
|
"CHROMIUM",
|
||||||
"ControlX"
|
"ControlX"
|
||||||
|
@ -350,10 +371,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "CN",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "China",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"DEV-0322"
|
"DEV-0322"
|
||||||
]
|
]
|
||||||
|
@ -363,10 +384,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "CN",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "China",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"APT40",
|
"APT40",
|
||||||
"GADOLINIUM",
|
"GADOLINIUM",
|
||||||
|
@ -380,10 +401,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "CN",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "China",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"GALLIUM"
|
"GALLIUM"
|
||||||
]
|
]
|
||||||
|
@ -393,10 +414,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "CN",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "China",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"DEV-0234"
|
"DEV-0234"
|
||||||
]
|
]
|
||||||
|
@ -406,10 +427,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "CN",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "China",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"APT5",
|
"APT5",
|
||||||
"Keyhole Panda",
|
"Keyhole Panda",
|
||||||
|
@ -422,10 +443,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "CN",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "China",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"APT15",
|
"APT15",
|
||||||
"NICKEL",
|
"NICKEL",
|
||||||
|
@ -438,10 +459,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "CN",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "China",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"APT30",
|
"APT30",
|
||||||
"LotusBlossom",
|
"LotusBlossom",
|
||||||
|
@ -453,10 +474,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "CN",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "China",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"HAFNIUM"
|
"HAFNIUM"
|
||||||
]
|
]
|
||||||
|
@ -466,10 +487,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "CN",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "China",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"APT31",
|
"APT31",
|
||||||
"ZIRCONIUM"
|
"ZIRCONIUM"
|
||||||
|
@ -666,10 +687,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "IR",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "Iran",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"NEPTUNIUM",
|
"NEPTUNIUM",
|
||||||
"Vice Leaker"
|
"Vice Leaker"
|
||||||
|
@ -680,10 +701,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "IR",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "Iran",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"CURIUM",
|
"CURIUM",
|
||||||
"TA456",
|
"TA456",
|
||||||
|
@ -695,10 +716,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "IR",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "Iran",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"DEV-0228"
|
"DEV-0228"
|
||||||
]
|
]
|
||||||
|
@ -708,10 +729,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "IR",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "Iran",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"DEV-0343"
|
"DEV-0343"
|
||||||
]
|
]
|
||||||
|
@ -721,10 +742,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "IR",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "Iran",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"APT34",
|
"APT34",
|
||||||
"Cobalt Gypsy",
|
"Cobalt Gypsy",
|
||||||
|
@ -737,10 +758,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "IR",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "Iran",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Fox Kitten",
|
"Fox Kitten",
|
||||||
"PioneerKitten",
|
"PioneerKitten",
|
||||||
|
@ -753,10 +774,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "IR",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "Iran",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"MERCURY",
|
"MERCURY",
|
||||||
"MuddyWater",
|
"MuddyWater",
|
||||||
|
@ -770,10 +791,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "IR",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "Iran",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"DEV-0500",
|
"DEV-0500",
|
||||||
"Moses Staff"
|
"Moses Staff"
|
||||||
|
@ -784,10 +805,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "IR",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "Iran",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"APT35",
|
"APT35",
|
||||||
"Charming Kitten",
|
"Charming Kitten",
|
||||||
|
@ -799,10 +820,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "IR",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "Iran",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"APT33",
|
"APT33",
|
||||||
"HOLMIUM",
|
"HOLMIUM",
|
||||||
|
@ -814,10 +835,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "IR",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "Iran",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"AMERICIUM",
|
"AMERICIUM",
|
||||||
"Agrius",
|
"Agrius",
|
||||||
|
@ -831,10 +852,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "IR",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "Iran",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"DEV-0146",
|
"DEV-0146",
|
||||||
"ZeroCleare"
|
"ZeroCleare"
|
||||||
|
@ -845,10 +866,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "IR",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "Iran",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"BOHRIUM"
|
"BOHRIUM"
|
||||||
]
|
]
|
||||||
|
@ -858,10 +879,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "LB",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "Lebanon",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"POLONIUM"
|
"POLONIUM"
|
||||||
]
|
]
|
||||||
|
@ -871,10 +892,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "KP",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "North Korea",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Labyrinth Chollima",
|
"Labyrinth Chollima",
|
||||||
"Lazarus",
|
"Lazarus",
|
||||||
|
@ -886,10 +907,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "KP",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "North Korea",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Kimsuky",
|
"Kimsuky",
|
||||||
"THALLIUM",
|
"THALLIUM",
|
||||||
|
@ -901,10 +922,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "KP",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "North Korea",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Konni",
|
"Konni",
|
||||||
"OSMIUM"
|
"OSMIUM"
|
||||||
|
@ -915,10 +936,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "KP",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "North Korea",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"LAWRENCIUM"
|
"LAWRENCIUM"
|
||||||
]
|
]
|
||||||
|
@ -928,10 +949,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "KP",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "North Korea",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"CERIUM"
|
"CERIUM"
|
||||||
]
|
]
|
||||||
|
@ -941,10 +962,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "KP",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "North Korea",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"BlueNoroff",
|
"BlueNoroff",
|
||||||
"COPERNICIUM",
|
"COPERNICIUM",
|
||||||
|
@ -956,10 +977,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "KP",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "North Korea",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"DEV-0530",
|
"DEV-0530",
|
||||||
"H0lyGh0st"
|
"H0lyGh0st"
|
||||||
|
@ -1026,10 +1047,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "RU",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "Russia",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"ACTINIUM",
|
"ACTINIUM",
|
||||||
"Gamaredon",
|
"Gamaredon",
|
||||||
|
@ -1042,10 +1063,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "RU",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "Russia",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"DEV-0586"
|
"DEV-0586"
|
||||||
]
|
]
|
||||||
|
@ -1055,10 +1076,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "RU",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "Russia",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"APT28",
|
"APT28",
|
||||||
"Fancy Bear",
|
"Fancy Bear",
|
||||||
|
@ -1070,10 +1091,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "RU",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "Russia",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"BROMINE",
|
"BROMINE",
|
||||||
"Crouching Yeti",
|
"Crouching Yeti",
|
||||||
|
@ -1085,10 +1106,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "RU",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "Russia",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"APT29",
|
"APT29",
|
||||||
"Cozy Bear",
|
"Cozy Bear",
|
||||||
|
@ -1100,10 +1121,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "RU",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "Russia",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"IRIDIUM",
|
"IRIDIUM",
|
||||||
"Sandworm"
|
"Sandworm"
|
||||||
|
@ -1114,10 +1135,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "RU",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "Russia",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Callisto",
|
"Callisto",
|
||||||
"Reuse Team",
|
"Reuse Team",
|
||||||
|
@ -1129,10 +1150,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "RU",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "Russia",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"DEV-0665"
|
"DEV-0665"
|
||||||
]
|
]
|
||||||
|
@ -1142,10 +1163,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "KR",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "South Korea",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"DUBNIUM",
|
"DUBNIUM",
|
||||||
"Dark Hotel",
|
"Dark Hotel",
|
||||||
|
@ -1157,10 +1178,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "TR",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "Turkey",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"SILICON",
|
"SILICON",
|
||||||
"Sea Turtle"
|
"Sea Turtle"
|
||||||
|
@ -1171,10 +1192,10 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "VN",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
||||||
],
|
],
|
||||||
"sector": "Vietnam",
|
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"APT32",
|
"APT32",
|
||||||
"BISMUTH",
|
"BISMUTH",
|
||||||
|
@ -1185,5 +1206,5 @@
|
||||||
"value": "Canvas Cyclone"
|
"value": "Canvas Cyclone"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"version": 12
|
"version": 13
|
||||||
}
|
}
|
||||||
|
|
|
@ -16,9 +16,18 @@
|
||||||
"https://www.notion.so/product"
|
"https://www.notion.so/product"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
|
"related": [
|
||||||
|
{
|
||||||
|
"dest-uuid": "0125ef58-2675-426f-90eb-0b189961199a",
|
||||||
|
"tags": [
|
||||||
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
|
],
|
||||||
|
"type": "used-by"
|
||||||
|
}
|
||||||
|
],
|
||||||
"uuid": "5c807e49-dc90-4f80-b044-49bb990acb61",
|
"uuid": "5c807e49-dc90-4f80-b044-49bb990acb61",
|
||||||
"value": "Notion"
|
"value": "Notion"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"version": 1
|
"version": 2
|
||||||
}
|
}
|
||||||
|
|
|
@ -2302,6 +2302,27 @@
|
||||||
"estimative-language:likelihood-probability=\"likely\""
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
],
|
],
|
||||||
"type": "similar"
|
"type": "similar"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"dest-uuid": "0125ef58-2675-426f-90eb-0b189961199a",
|
||||||
|
"tags": [
|
||||||
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
|
],
|
||||||
|
"type": "uses"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"dest-uuid": "f169f0b3-fe4d-40e5-a443-2561c98eb67e",
|
||||||
|
"tags": [
|
||||||
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
|
],
|
||||||
|
"type": "uses"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"dest-uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b",
|
||||||
|
"tags": [
|
||||||
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
|
],
|
||||||
|
"type": "uses"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a",
|
"uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a",
|
||||||
|
@ -8192,6 +8213,27 @@
|
||||||
"estimative-language:likelihood-probability=\"likely\""
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
],
|
],
|
||||||
"type": "similar"
|
"type": "similar"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"dest-uuid": "0125ef58-2675-426f-90eb-0b189961199a",
|
||||||
|
"tags": [
|
||||||
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
|
],
|
||||||
|
"type": "uses"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"dest-uuid": "f169f0b3-fe4d-40e5-a443-2561c98eb67e",
|
||||||
|
"tags": [
|
||||||
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
|
],
|
||||||
|
"type": "uses"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"dest-uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b",
|
||||||
|
"tags": [
|
||||||
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
|
],
|
||||||
|
"type": "uses"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b",
|
"uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b",
|
||||||
|
@ -10667,5 +10709,5 @@
|
||||||
"value": "Anonymous Sudan"
|
"value": "Anonymous Sudan"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"version": 263
|
"version": 265
|
||||||
}
|
}
|
||||||
|
|
|
@ -8711,7 +8711,7 @@
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
{
|
{
|
||||||
"dest-uuid": "54c03b3c-6f97-46ea-a93f-f07bfd5cdd36,",
|
"dest-uuid": "54c03b3c-6f97-46ea-a93f-f07bfd5cdd36",
|
||||||
"tags": [
|
"tags": [
|
||||||
"estimative-language:likelihood-probability=\"likely\""
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
],
|
],
|
||||||
|
@ -8756,7 +8756,7 @@
|
||||||
"value": "AHK Bot"
|
"value": "AHK Bot"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "A tool first used in October 2022, abusing the Notion7 service to communicate and download further malicious files. Two versions of this tool have been observed.",
|
"description": "A tool first used in October 2022, abusing the Notion service to communicate and download further malicious files. Two versions of this tool have been observed.\n\nSNOWYAMBER is a dropper that was used in an espionage campaign significantly overlapping with publicly described activity linked to the APT29 and NOBELIUM activity sets. SNOWYAMBER abuses the NOTION collaboration service as a communication channel. It does not contain any other capabilities aside from downloading and executing 2nd stage. To bypass security products, SNOWYAMBER uses several antidetection and obfuscation techniques, including string encryption, dynamic API resolving, EDR/AV unhooking, and direct syscalls.",
|
||||||
"meta": {
|
"meta": {
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services",
|
"https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services",
|
||||||
|
@ -8764,11 +8764,41 @@
|
||||||
"https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d"
|
"https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
|
"related": [
|
||||||
|
{
|
||||||
|
"dest-uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a",
|
||||||
|
"tags": [
|
||||||
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
|
],
|
||||||
|
"type": "used-by"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"dest-uuid": "d7247cf9-13b6-4781-b789-a5f33521633b",
|
||||||
|
"tags": [
|
||||||
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
|
],
|
||||||
|
"type": "used-by"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"dest-uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b",
|
||||||
|
"tags": [
|
||||||
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
|
],
|
||||||
|
"type": "used-by"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"dest-uuid": "5c807e49-dc90-4f80-b044-49bb990acb61",
|
||||||
|
"tags": [
|
||||||
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
|
],
|
||||||
|
"type": "uses"
|
||||||
|
}
|
||||||
|
],
|
||||||
"uuid": "0125ef58-2675-426f-90eb-0b189961199a",
|
"uuid": "0125ef58-2675-426f-90eb-0b189961199a",
|
||||||
"value": "SNOWYAMBER"
|
"value": "SNOWYAMBER"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "Used for the first time in February 2023. This tool is distinguished from the others by the embedded code that runs the COBALT STRIKE tool.",
|
"description": "Used for the first time in February 2023. This tool is distinguished from the others by the embedded code that runs the COBALT STRIKE tool.\n\nHALFRIG is a stager for CobaltStrike Beacon that was used in an espionage campaign significantly overlapping with publicly described activity linked to the APT29 and NOBELIUM activity sets. HALFRIG has significant code overlap with the QUARTERRIG and it is highly probable that it was developed by the same team.",
|
||||||
"meta": {
|
"meta": {
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services",
|
"https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services",
|
||||||
|
@ -8776,11 +8806,34 @@
|
||||||
"https://www.gov.pl/attachment/6e085a2c-ac05-4b62-9423-5d6e9ef730bf"
|
"https://www.gov.pl/attachment/6e085a2c-ac05-4b62-9423-5d6e9ef730bf"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
|
"related": [
|
||||||
|
{
|
||||||
|
"dest-uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a",
|
||||||
|
"tags": [
|
||||||
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
|
],
|
||||||
|
"type": "used-by"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"dest-uuid": "d7247cf9-13b6-4781-b789-a5f33521633b",
|
||||||
|
"tags": [
|
||||||
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
|
],
|
||||||
|
"type": "used-by"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"dest-uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b",
|
||||||
|
"tags": [
|
||||||
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
|
],
|
||||||
|
"type": "used-by"
|
||||||
|
}
|
||||||
|
],
|
||||||
"uuid": "f169f0b3-fe4d-40e5-a443-2561c98eb67e",
|
"uuid": "f169f0b3-fe4d-40e5-a443-2561c98eb67e",
|
||||||
"value": "HALFRIG"
|
"value": "HALFRIG"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "A tool first used in March 2023, sharing part of the code with HALFRIG. Two versions of this tool were observed.",
|
"description": "A tool first used in March 2023, sharing part of the code with HALFRIG. Two versions of this tool were observed.\n\nQUARTERRIG is a dropper that was used in an espionage campaign significantly overlapping with publicly described activity linked to the APT29 and NOBELIUM activity sets. QUARTERRIG does not contain any other capabilities aside from downloading and executing 2nd stage. To bypass security products, QUARTERRIG heavily relies on obfuscation based on opaque predicates and multi-stage execution, interweaving shellcode and PE files. HALFRIG and QUARTERRIG share some of the codebase, suggesting that QUARTERRIG authors have access to both HALFRIG source code and the same obfuscation libraries.",
|
||||||
"meta": {
|
"meta": {
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services",
|
"https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services",
|
||||||
|
@ -8788,9 +8841,32 @@
|
||||||
"https://www.gov.pl/attachment/6e085a2c-ac05-4b62-9423-5d6e9ef730bf"
|
"https://www.gov.pl/attachment/6e085a2c-ac05-4b62-9423-5d6e9ef730bf"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
|
"related": [
|
||||||
|
{
|
||||||
|
"dest-uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a",
|
||||||
|
"tags": [
|
||||||
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
|
],
|
||||||
|
"type": "used-by"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"dest-uuid": "d7247cf9-13b6-4781-b789-a5f33521633b",
|
||||||
|
"tags": [
|
||||||
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
|
],
|
||||||
|
"type": "used-by"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"dest-uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b",
|
||||||
|
"tags": [
|
||||||
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
|
],
|
||||||
|
"type": "used-by"
|
||||||
|
}
|
||||||
|
],
|
||||||
"uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b",
|
"uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b",
|
||||||
"value": "QUARTERRIG"
|
"value": "QUARTERRIG"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"version": 162
|
"version": 164
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue