From 2bf2bad2a9338923de0d4a1d5a32890cec2c625d Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Fri, 26 Apr 2024 09:01:34 -0700
Subject: [PATCH] [threat-actors] Add STORM-1849

---
 clusters/threat-actor.json | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 59c3f2f..8069eb3 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -15917,6 +15917,19 @@
       },
       "uuid": "97a10d3b-5cb5-4df9-856c-515994f3e953",
       "value": "ArcaneDoor"
+    },
+    {
+      "description": "UAT4356 is a state-sponsored threat actor that targeted government networks globally through a campaign named ArcaneDoor. They exploited two zero-day vulnerabilities in Cisco Adaptive Security Appliances to deploy custom malware implants called \"Line Runner\" and \"Line Dancer.\" The actor demonstrated a deep understanding of Cisco systems, utilized anti-forensic measures, and took deliberate steps to evade detection. UAT4356's sophisticated attack chain allowed them to conduct malicious actions such as configuration modification, reconnaissance, network traffic capture/exfiltration, and potentially lateral movement on compromised devices.",
+      "meta": {
+        "refs": [
+          "https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/"
+        ],
+        "synonyms": [
+          "UAT4356"
+        ]
+      },
+      "uuid": "3d94ef07-9fd6-4d64-bf1e-f1316f2686a4",
+      "value": "STORM-1849"
     }
   ],
   "version": 308