From 38283f0f869d09b70a1e5d0c89e1612e14f53b2f Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Fri, 22 Feb 2019 22:41:06 +0100
Subject: [PATCH] chg: [threat-actor] STOLEN PENCIL added

---
 clusters/threat-actor.json | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 7bd1e4f..933a814 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -6374,7 +6374,17 @@
       },
       "uuid": "ec3fda76-8c1c-4019-8109-3f92e6b15633",
       "value": "Ratpak Spider"
+    },
+    {
+      "description": "ASERT has learned of an APT campaign, possibly originating from DPRK, we are calling STOLEN PENCIL that is targeting academic institutions since at least May 2018.",
+      "value": "STOLEN PENCIL",
+      "meta": {
+        "refs": [
+          "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/",
+          "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/"
+        ]
+      }
     }
   ],
-  "version": 92
+  "version": 93
 }