MISP/misp-galaxy
6
0
Fork 0
mirror of https://github.com/MISP/misp-galaxy.git synced 2024-11-22 14:57:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge pull request #993 from Mathieu4141/threat-actors/15075ff2-4013-43ac-ac8a-0bf6442d13b1
Some checks are pending
Python application / build (3.10) (push) Waiting to run
Details
Python application / build (3.8) (push) Waiting to run
Details
Python application / build (3.9) (push) Waiting to run
Details

Browse source 
[threat actors] Adding 8 actors
This commit is contained in:
Alexandre Dulaunoy 2024-06-24 14:15:28 +02:00 committed by GitHub
commit 41cf08a038
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 98 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -535,7 +535,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements
[Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
Category: *actor* - source: *MISP Project* - total: *693* elements
Category: *actor* - source: *MISP Project* - total: *701* elements
[[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]

97
clusters/threat-actor.json
View file

@ -16175,6 +16175,103 @@
},
"uuid": "318be739-26fd-4f4d-bac8-aa20ec8273b7",
"value": "UAC-0020"
},
{
"description": "Void Arachne is a threat actor group targeting Chinese-speaking users with malicious MSI files containing legitimate software installers for AI software. They exploit public interest in VPN technology and AI software to distribute malware through SEO poisoning and Chinese-language-themed Telegram channels. The group's campaign includes bundling malicious Winos payloads with deepfake pornography-generating AI software and voice-and-face-swapping AI software. Void Arachne also promotes AI technologies for virtual kidnapping and uses AI voice-alternating technology to pressure victims into paying ransom.",
"meta": {
"refs": [
"https://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html"
]
},
"uuid": "2ac0db88-8e88-447b-ad44-f781326f5884",
"value": "Void Arachne"
},
{
"description": "Markopolo is a threat actor known for running scams targeting cryptocurrency users through a fake app called Vortax. They use social media and a dedicated blog to legitimize their malicious activities. Markopolo has been linked to a credential-harvesting operation and is agile in pivoting to new scams when detected. The actor leverages shared hosting and C2 infrastructure for their malicious builds.",
"meta": {
"refs": [
"https://www.darkreading.com/remote-workforce/vortax-meeting-software-branding-spreads-infostealers",
"https://www.recordedfuture.com/the-travels-of-markopolo-self-proclaimed-meeting-software-vortax-spreads-infostealers"
]
},
"uuid": "c1e2121a-84c9-4fd0-99ef-917ded9cb3e1",
"value": "Markopolo"
},
{
"description": "Adrastea is a threat actor who has been active on cybercrime forums, claiming to have breached organizations like MBDA and offering stolen data for sale. They describe themselves as a group of independent cybersecurity experts and researchers. Adrastea has been linked to ransomware operations, data leak platforms, and network access groups. The actor has been known to exploit critical vulnerabilities in target organizations' infrastructure to gain access to sensitive data.",
"meta": {
"refs": [
"https://www.cysecurity.news/2022/11/missile-supplier-mbda-breach-disclosed.html",
"https://www.itsecurityguru.org/2022/09/14/documents-for-sale-on-the-dark-web/",
"https://cybershafarat.com/2022/07/31/adrastea-hackers-claim-leading-european-designer-and-manufacturer-of-missile-systems-mbda-hacked/",
"https://securityaffairs.co/wordpress/133881/data-breach/mbda-alleged-data-breach.html"
]
},
"uuid": "b7f37e61-0e1c-4818-9a04-8f83afdd337c",
"value": "Adrastea"
},
{
"description": "JuiceLedger is a threat actor known for infostealing through their JuiceStealer .NET assembly. They have evolved from spreading fraudulent applications to conducting supply chain attacks, targeting PyPI contributors with phishing campaigns and typosquatting. Their malicious packages contain a code snippet that downloads and executes JuiceStealer, which has evolved to support additional browsers and Discord. Victims of JuiceLedger attacks are advised to reset passwords and report any suspicious activity to security@pypi.org.",
"meta": {
"refs": [
"https://www.sentinelone.com/labs/pypi-phishing-campaign-juiceledger-threat-actor-pivots-from-fake-apps-to-supply-chain-attacks/"
]
},
"uuid": "8f4eb6bc-3d3d-49e4-82d8-500c7bb0a2ec",
"value": "JuiceLedger"
},
{
"description": "RedJuliett is a likely Chinese state-sponsored threat actor targeting government, academic, technology, and diplomatic organizations in Taiwan. They exploit vulnerabilities in network edge devices for initial access and use SQL injection and directory traversal exploits against web and SQL applications. The group operates from Fuzhou, China, and aims to support Beijing's intelligence collection on Taiwan's economic and diplomatic relations. RedJuliett has also expanded its operations to compromise organizations in other countries such as Hong Kong, Malaysia, and the United States.",
"meta": {
"country": "CN",
"refs": [
"https://www.recordedfuture.com/redjuliett-intensifies-taiwanese-cyber-espionage-via-network-perimeter"
]
},
"uuid": "d20f5398-a362-4c88-b3fb-7e952dcf3948",
"value": "RedJuliett"
},
{
"description": "SneakyChef is a threat actor known for using the SugarGh0st RAT to target government agencies, research institutions, and organizations worldwide. They have been active since at least August 2023, with a focus on leveraging old and new command and control domains. The group has been observed using lures in the form of scanned documents related to Ministries of Foreign Affairs and embassies. Talos Intelligence assesses with medium confidence that the operators are likely Chinese-speaking based on language preferences and specific targets.",
"meta": {
"country": "CN",
"refs": [
"https://blog.talosintelligence.com/sneakychef-sugarghost-rat/"
]
},
"uuid": "cdf4506e-09ea-4eb8-b898-b1b5381aa343",
"value": "SneakyChef"
},
{
"description": "ALTDOS is a threat actor group that has targeted entities in Southeast Asia, including Singapore, Thailand, and Malaysia. They have been involved in data breaches of companies in various sectors, such as real estate and retail, compromising sensitive information like customer names, bank account numbers, and transaction details. ALTDOS uses tactics like ransomware attacks, data exfiltration, and dumping data publicly or for sale on underground forums. The group has been known to demand ransom payments from victims, but also leaks data if demands are not met.",
"meta": {
"refs": [
"https://www.databreaches.net/singapore-corporations-making-progress-in-preventing-cyberattacks/",
"https://www.databreaches.net/altdos-claims-to-have-hacked-one-of-malaysias-biggest-conglomerates/",
"https://www.databreaches.net/advisories-are-published-but-are-enough-entities-reading-them-and-taking-precautions/",
"https://www.databreaches.net/singapore-real-estate-firm-breached-by-altdos/",
"https://www.databreaches.net/sg-vhive-alerts-consumers-to-cyberattack/",
"https://www.databreaches.net/sg-vhive-attackers-escalate-take-control-of-furniture-retailers-email-server/"
]
},
"uuid": "2bd6c045-2ec2-438e-af66-0d97a0163290",
"value": "ALTDOS"
},
{
"description": "BlueHornet is an advanced persistent threat group targeting government organizations in China, North Korea, Iran, and Russia. They have compromised and leaked data from other APT groups like Kryptonite Panda and Lazarus Group. BlueHornet has been involved in campaigns such as Operation Renminbi, Operation Ruble, and Operation EUSec, focusing on exfiltrating region-specific data and selling it on the dark web. They have also been known to collaborate with different threat actors and have recently disclosed a zero-day exploit in NGINX 1.18.",
"meta": {
"refs": [
"https://cyberint.com/blog/research/bluehornet-one-apt-to-terrorize-them-all/",
"https://www.mandiant.com/resources/blog/killnet-new-capabilities-older-tactics",
"https://www.csoonline.com/article/3684668/cyberattacks-against-governments-jumped-95-in-last-half-of-2022-cloudsek-says.html"
],
"synonyms": [
"APT49",
"AgainstTheWest"
]
},
"uuid": "06a615dc-fa13-4d6a-ac8b-3d2a8c9501c4",
"value": "BlueHornet"
}
],
"version": 312