From 679a59e96d212f52b131d083aad5321b24dc72e5 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 26 Jul 2024 06:27:01 -0700 Subject: [PATCH 1/4] [threat-actors] Add Stargazer Goblin --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ae20855..cf1cfe3 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16423,6 +16423,16 @@ }, "uuid": "9565bf78-7c9c-41cd-9ed0-58031f6d8978", "value": "UAC-0063" + }, + { + "description": "Stargazer Goblin is a threat actor group that operates the Stargazers Ghost Network on GitHub, distributing malware and malicious links through multiple accounts. They utilize compromised and created accounts to evade detection and quickly replace banned components to continue their operations. The group has been estimated to have earned approximately $100,000 from their malicious activities, offering a Distribution as a Service platform for other threat actors to distribute their malware. Stargazer Goblin has been involved in distributing various malware families, including Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine.", + "meta": { + "refs": [ + "https://research.checkpoint.com/2024/stargazers-ghost-network/" + ] + }, + "uuid": "a86e4a0d-95cf-4ce0-b26c-d1fbb7cc84bc", + "value": "Stargazer Goblin" } ], "version": 312 From 90338e0e0f80e3b5c07d5f4f8d3736860229ed7b Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 26 Jul 2024 06:27:01 -0700 Subject: [PATCH 2/4] [threat-actors] Add UAC-0102 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index cf1cfe3..6ee2d0c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16433,6 +16433,17 @@ }, "uuid": "a86e4a0d-95cf-4ce0-b26c-d1fbb7cc84bc", "value": "Stargazer Goblin" + }, + { + "description": "UAC-0102 is a threat actor group targeting UKR.NET users through phishing attacks. They distribute emails with HTML file attachments that redirect users to a fraudulent website to steal authentication data. Security teams can use Sigma rules to detect their phishing campaigns and leverage IOCs provided by CERT-UA to hunt for their activity in SIEM or EDR environments.", + "meta": { + "refs": [ + "https://socprime.com/blog/uac-0102-phishing-attack-detection-hackers-steal-authentication-data-impersonating-the-ukr-net-web-service/", + "https://cert.gov.ua/article/4928679" + ] + }, + "uuid": "7dd2e8ee-4232-43f5-9866-006160f19aea", + "value": "UAC-0102" } ], "version": 312 From 793e4b9408c04ae9259904baacecc7f25f3ffcfb Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 26 Jul 2024 06:27:01 -0700 Subject: [PATCH 3/4] [threat-actors] Add APT45 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 6ee2d0c..cc9fc27 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16444,6 +16444,17 @@ }, "uuid": "7dd2e8ee-4232-43f5-9866-006160f19aea", "value": "UAC-0102" + }, + { + "description": "APT45 is a North Korean cyber threat actor that has been active since at least 2009. They have conducted espionage campaigns targeting government agencies and defense industries, as well as financially-motivated operations, including ransomware development. APT45 has targeted critical infrastructure, financial organizations, nuclear research facilities, and healthcare and pharmaceutical companies. They use a mix of publicly available tools, modified malware, and custom malware families in their operations.", + "meta": { + "country": "KP", + "refs": [ + "https://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine" + ] + }, + "uuid": "02768be6-853c-4239-8fb1-823427489a86", + "value": "APT45" } ], "version": 312 From 852041233635e861f03f076ce1181d30f1d95932 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 26 Jul 2024 06:27:02 -0700 Subject: [PATCH 4/4] [threat actors] Update README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 546f243..b2295eb 100644 --- a/README.md +++ b/README.md @@ -591,7 +591,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *713* elements +Category: *actor* - source: *MISP Project* - total: *716* elements [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]