diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 4e3e522..db5c3d8 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16957,6 +16957,17 @@
       },
       "uuid": "a798eb63-b0b2-4da5-8a9e-d6e821f775eb",
       "value": "CeranaKeeper"
+    },
+    {
+      "description": "SongXY is a Chinese APT group that employs phishing tactics to initiate cyberespionage campaigns. They utilize the Royal Road RTF builder, exploiting the CVE-2018-0798 vulnerability in Microsoft Equation Editor. In one instance, they sent a document containing a link to an attacker-controlled server, which automatically triggered upon opening, allowing them to gather information about the target's system configuration.",
+      "meta": {
+        "refs": [
+          "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/",
+          "http://www.ptsecurity.com/upload/corporate/ww-en/analytics/APT-Attacks-eng.pdf"
+        ]
+      },
+      "uuid": "439a65b0-c4b4-4a09-a9c9-2c70476574ab",
+      "value": "SongXY"
     }
   ],
   "version": 316