diff --git a/README.md b/README.md index bea1cde..1e1075d 100644 --- a/README.md +++ b/README.md @@ -599,7 +599,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *746* elements +Category: *actor* - source: *MISP Project* - total: *751* elements [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)] diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 34844ed..40c3e41 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16918,6 +16918,71 @@ }, "uuid": "80a874d5-0645-4245-aeb6-9b33a8689928", "value": "UNC1860" + }, + { + "description": "SkidSec is a threat group that has engaged in operations targeting exposed printers in South Korea to disseminate North Korean propaganda, utilizing techniques such as printer exploitation and social engineering for evidence collection. The group has also experienced a leadership change following the loss of their leader, Govadmin, while continuing to mobilize their followers for various missions. They have humorously solicited financial support for their activities, framing it as a means to support their cause. Additionally, they have been noted for their potential to leak sensitive information from compromised devices.", + "meta": { + "refs": [ + "https://socradar.io/dark-peep-7-shadows-of-betrayal-and-leadership-in-flux/", + "https://medium.com/@criminalip/skidsec-hacker-group-announces-plans-to-spread-north-korean-propaganda-through-hacked-printers-in-fdd314178dc4" + ], + "synonyms": [ + "SkidSec Leaks" + ] + }, + "uuid": "afca4b9c-2bdb-47ef-becc-1d5683d3d2fb", + "value": "SkidSec" + }, + { + "description": "Awaken Likho is an APT group that has targeted Russian government agencies and industrial enterprises, employing techniques such as information gathering via search engines and using MeshCentral for remote access. The group has been active since at least December 2021 and has ramped up its activities following the Russo-Ukrainian conflict. Recent reports indicate that they are focusing on espionage against critical infrastructure in the defense and energy sectors. Analysis of their malware reveals a new version that is still in development, suggesting ongoing operational capabilities.", + "meta": { + "refs": [ + "https://securelist.com/awaken-likho-apt-new-implant-campaign/114101/", + "https://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/" + ], + "synonyms": [ + "Core Werewolf" + ] + }, + "uuid": "b3a4c34f-0ad6-4083-938a-958deb34b6c7", + "value": "Awaken Likho" + }, + { + "description": "CeranaKeeper is a China-aligned APT that has been active since at least early 2022, primarily targeting governmental institutions in Asian countries. The group employs custom backdoors like TONESHELL and OneDoor, leveraging cloud services such as Dropbox and OneDrive for data exfiltration. CeranaKeeper utilizes techniques like side-loading, brute-force attacks, and the deployment of BAT scripts to extend its reach within compromised networks. Their operations are characterized by a relentless pursuit of sensitive data, adapting their toolset and methods to evade detection.", + "meta": { + "country": "CN", + "refs": [ + "https://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/" + ] + }, + "uuid": "a798eb63-b0b2-4da5-8a9e-d6e821f775eb", + "value": "CeranaKeeper" + }, + { + "description": "SongXY is a Chinese APT group that employs phishing tactics to initiate cyberespionage campaigns. They utilize the Royal Road RTF builder, exploiting the CVE-2018-0798 vulnerability in Microsoft Equation Editor. In one instance, they sent a document containing a link to an attacker-controlled server, which automatically triggered upon opening, allowing them to gather information about the target's system configuration.", + "meta": { + "refs": [ + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/", + "http://www.ptsecurity.com/upload/corporate/ww-en/analytics/APT-Attacks-eng.pdf" + ] + }, + "uuid": "439a65b0-c4b4-4a09-a9c9-2c70476574ab", + "value": "SongXY" + }, + { + "description": "TaskMasters is a state-sponsored Chinese APT that has been active since at least 2010, primarily targeting industrial, energy, and government sectors in Russia and the CIS. The group has been linked to the Webdav-O Trojan, which employs techniques to bypass network defenses by connecting to legitimate services. Investigations suggest that TaskMasters may have been involved in attacks against Russian federal executive authorities in 2020, potentially alongside another Chinese group, TA428. Additionally, the group has been associated with the BackDoor.RemShell.24 malware, indicating a diverse toolkit in their operations.", + "meta": { + "country": "CN", + "refs": [ + "https://www.group-ib.com/blog/task/", + "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/?utm_source=rss&utm_medium=rss&utm_campaign=apt-group-targeting-governmental-agencies-in-east-asia" + ], + "synonyms": [ + "BlueTraveller" + ] + }, + "uuid": "f6134b6c-56f1-4eda-be0f-79411d627f19", + "value": "TaskMasters" } ], "version": 316