From 2137a86586816edac3a9362b749f63276553231b Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 7 Oct 2024 03:58:02 -0700 Subject: [PATCH] [threat-actors] Add SongXY --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4e3e522..db5c3d8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16957,6 +16957,17 @@ }, "uuid": "a798eb63-b0b2-4da5-8a9e-d6e821f775eb", "value": "CeranaKeeper" + }, + { + "description": "SongXY is a Chinese APT group that employs phishing tactics to initiate cyberespionage campaigns. They utilize the Royal Road RTF builder, exploiting the CVE-2018-0798 vulnerability in Microsoft Equation Editor. In one instance, they sent a document containing a link to an attacker-controlled server, which automatically triggered upon opening, allowing them to gather information about the target's system configuration.", + "meta": { + "refs": [ + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/", + "http://www.ptsecurity.com/upload/corporate/ww-en/analytics/APT-Attacks-eng.pdf" + ] + }, + "uuid": "439a65b0-c4b4-4a09-a9c9-2c70476574ab", + "value": "SongXY" } ], "version": 316