From 3379a0777b8f00494bcc4d4edaa6483e1ce5c9e3 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Mon, 5 Feb 2024 09:20:10 -0800
Subject: [PATCH] [threat-actors] Add Karkadann

---
 clusters/threat-actor.json | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 2501bef..16d729c 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -14789,6 +14789,20 @@
       },
       "uuid": "33bfb09d-c6f4-4403-b434-1d4d4733ec52",
       "value": "TA2719"
+    },
+    {
+      "description": "Karkadann is a threat actor that has been active since at least October 2020, targeting government bodies and news outlets in the Middle East. They have been involved in watering hole attacks, compromising high-profile websites to inject malicious JavaScript code. The group has been linked to another commercial spyware company called Candiru, suggesting they may utilize multiple spyware technologies. There are similarities in the infrastructure and tactics used by Karkadann in their campaigns.",
+      "meta": {
+        "refs": [
+          "https://securelist.com/apt-trends-report-q2-2022/106995/",
+          "https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/"
+        ],
+        "synonyms": [
+          "Piwiks"
+        ]
+      },
+      "uuid": "8146ba06-cef2-4a94-b26e-1a4041e04c7d",
+      "value": "Karkadann"
     }
   ],
   "version": 299