From 182102f73899b7345d623d8d50359c282ffc5e67 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Mon, 7 Oct 2024 03:58:02 -0700
Subject: [PATCH] [threat-actors] Add CeranaKeeper

---
 clusters/threat-actor.json | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 78ed7f8..4e3e522 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16946,6 +16946,17 @@
       },
       "uuid": "b3a4c34f-0ad6-4083-938a-958deb34b6c7",
       "value": "Awaken Likho"
+    },
+    {
+      "description": "CeranaKeeper is a China-aligned APT that has been active since at least early 2022, primarily targeting governmental institutions in Asian countries. The group employs custom backdoors like TONESHELL and OneDoor, leveraging cloud services such as Dropbox and OneDrive for data exfiltration. CeranaKeeper utilizes techniques like side-loading, brute-force attacks, and the deployment of BAT scripts to extend its reach within compromised networks. Their operations are characterized by a relentless pursuit of sensitive data, adapting their toolset and methods to evade detection.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/"
+        ]
+      },
+      "uuid": "a798eb63-b0b2-4da5-8a9e-d6e821f775eb",
+      "value": "CeranaKeeper"
     }
   ],
   "version": 316