From 879ae26c552783412a2b66a89a7a58b96c6eddb2 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 24 Jun 2024 02:35:57 -0700 Subject: [PATCH 1/9] [threat-actors] Add Void Arachne --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 170a587..f788692 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16175,6 +16175,16 @@ }, "uuid": "318be739-26fd-4f4d-bac8-aa20ec8273b7", "value": "UAC-0020" + }, + { + "description": "Void Arachne is a threat actor group targeting Chinese-speaking users with malicious MSI files containing legitimate software installers for AI software. They exploit public interest in VPN technology and AI software to distribute malware through SEO poisoning and Chinese-language-themed Telegram channels. The group's campaign includes bundling malicious Winos payloads with deepfake pornography-generating AI software and voice-and-face-swapping AI software. Void Arachne also promotes AI technologies for virtual kidnapping and uses AI voice-alternating technology to pressure victims into paying ransom.", + "meta": { + "refs": [ + "https://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html" + ] + }, + "uuid": "2ac0db88-8e88-447b-ad44-f781326f5884", + "value": "Void Arachne" } ], "version": 312 From 965f1f5be4b706db8789453438eba5aeddc618f9 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 24 Jun 2024 02:35:57 -0700 Subject: [PATCH 2/9] [threat-actors] Add Markopolo --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index f788692..de92977 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16185,6 +16185,17 @@ }, "uuid": "2ac0db88-8e88-447b-ad44-f781326f5884", "value": "Void Arachne" + }, + { + "description": "Markopolo is a threat actor known for running scams targeting cryptocurrency users through a fake app called Vortax. They use social media and a dedicated blog to legitimize their malicious activities. Markopolo has been linked to a credential-harvesting operation and is agile in pivoting to new scams when detected. The actor leverages shared hosting and C2 infrastructure for their malicious builds.", + "meta": { + "refs": [ + "https://www.darkreading.com/remote-workforce/vortax-meeting-software-branding-spreads-infostealers", + "https://www.recordedfuture.com/the-travels-of-markopolo-self-proclaimed-meeting-software-vortax-spreads-infostealers" + ] + }, + "uuid": "c1e2121a-84c9-4fd0-99ef-917ded9cb3e1", + "value": "Markopolo" } ], "version": 312 From 09bd93f4889b78dfcc5f3a7d3e55943400804753 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 24 Jun 2024 02:35:57 -0700 Subject: [PATCH 3/9] [threat-actors] Add Adrastea --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index de92977..b05c927 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16196,6 +16196,19 @@ }, "uuid": "c1e2121a-84c9-4fd0-99ef-917ded9cb3e1", "value": "Markopolo" + }, + { + "description": "Adrastea is a threat actor who has been active on cybercrime forums, claiming to have breached organizations like MBDA and offering stolen data for sale. They describe themselves as a group of independent cybersecurity experts and researchers. Adrastea has been linked to ransomware operations, data leak platforms, and network access groups. The actor has been known to exploit critical vulnerabilities in target organizations' infrastructure to gain access to sensitive data.", + "meta": { + "refs": [ + "https://www.cysecurity.news/2022/11/missile-supplier-mbda-breach-disclosed.html", + "https://www.itsecurityguru.org/2022/09/14/documents-for-sale-on-the-dark-web/", + "https://cybershafarat.com/2022/07/31/adrastea-hackers-claim-leading-european-designer-and-manufacturer-of-missile-systems-mbda-hacked/", + "https://securityaffairs.co/wordpress/133881/data-breach/mbda-alleged-data-breach.html" + ] + }, + "uuid": "b7f37e61-0e1c-4818-9a04-8f83afdd337c", + "value": "Adrastea" } ], "version": 312 From 4d94ff0c129a18f8fe5a7207433148dc17150cbd Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 24 Jun 2024 02:35:57 -0700 Subject: [PATCH 4/9] [threat-actors] Add JuiceLedger --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b05c927..44894ee 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16209,6 +16209,16 @@ }, "uuid": "b7f37e61-0e1c-4818-9a04-8f83afdd337c", "value": "Adrastea" + }, + { + "description": "JuiceLedger is a threat actor known for infostealing through their JuiceStealer .NET assembly. They have evolved from spreading fraudulent applications to conducting supply chain attacks, targeting PyPI contributors with phishing campaigns and typosquatting. Their malicious packages contain a code snippet that downloads and executes JuiceStealer, which has evolved to support additional browsers and Discord. Victims of JuiceLedger attacks are advised to reset passwords and report any suspicious activity to security@pypi.org.", + "meta": { + "refs": [ + "https://www.sentinelone.com/labs/pypi-phishing-campaign-juiceledger-threat-actor-pivots-from-fake-apps-to-supply-chain-attacks/" + ] + }, + "uuid": "8f4eb6bc-3d3d-49e4-82d8-500c7bb0a2ec", + "value": "JuiceLedger" } ], "version": 312 From 13fc125694048dd0882fda11b5d17aa08df288be Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 24 Jun 2024 02:35:57 -0700 Subject: [PATCH 5/9] [threat-actors] Add RedJuliett --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 44894ee..02b7808 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16219,6 +16219,17 @@ }, "uuid": "8f4eb6bc-3d3d-49e4-82d8-500c7bb0a2ec", "value": "JuiceLedger" + }, + { + "description": "RedJuliett is a likely Chinese state-sponsored threat actor targeting government, academic, technology, and diplomatic organizations in Taiwan. They exploit vulnerabilities in network edge devices for initial access and use SQL injection and directory traversal exploits against web and SQL applications. The group operates from Fuzhou, China, and aims to support Beijing's intelligence collection on Taiwan's economic and diplomatic relations. RedJuliett has also expanded its operations to compromise organizations in other countries such as Hong Kong, Malaysia, and the United States.", + "meta": { + "country": "CN", + "refs": [ + "https://www.recordedfuture.com/redjuliett-intensifies-taiwanese-cyber-espionage-via-network-perimeter" + ] + }, + "uuid": "d20f5398-a362-4c88-b3fb-7e952dcf3948", + "value": "RedJuliett" } ], "version": 312 From a16cff8e4400f72539baf1039835b25ba3e4b437 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 24 Jun 2024 02:35:58 -0700 Subject: [PATCH 6/9] [threat-actors] Add SneakyChef --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 02b7808..f47c372 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16230,6 +16230,17 @@ }, "uuid": "d20f5398-a362-4c88-b3fb-7e952dcf3948", "value": "RedJuliett" + }, + { + "description": "SneakyChef is a threat actor known for using the SugarGh0st RAT to target government agencies, research institutions, and organizations worldwide. They have been active since at least August 2023, with a focus on leveraging old and new command and control domains. The group has been observed using lures in the form of scanned documents related to Ministries of Foreign Affairs and embassies. Talos Intelligence assesses with medium confidence that the operators are likely Chinese-speaking based on language preferences and specific targets.", + "meta": { + "country": "CN", + "refs": [ + "https://blog.talosintelligence.com/sneakychef-sugarghost-rat/" + ] + }, + "uuid": "cdf4506e-09ea-4eb8-b898-b1b5381aa343", + "value": "SneakyChef" } ], "version": 312 From 5347bcb95cb90b2f4f2f386f39dbabf183af44cd Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 24 Jun 2024 02:35:58 -0700 Subject: [PATCH 7/9] [threat-actors] Add ALTDOS --- clusters/threat-actor.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index f47c372..8060241 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16241,6 +16241,21 @@ }, "uuid": "cdf4506e-09ea-4eb8-b898-b1b5381aa343", "value": "SneakyChef" + }, + { + "description": "ALTDOS is a threat actor group that has targeted entities in Southeast Asia, including Singapore, Thailand, and Malaysia. They have been involved in data breaches of companies in various sectors, such as real estate and retail, compromising sensitive information like customer names, bank account numbers, and transaction details. ALTDOS uses tactics like ransomware attacks, data exfiltration, and dumping data publicly or for sale on underground forums. The group has been known to demand ransom payments from victims, but also leaks data if demands are not met.", + "meta": { + "refs": [ + "https://www.databreaches.net/singapore-corporations-making-progress-in-preventing-cyberattacks/", + "https://www.databreaches.net/altdos-claims-to-have-hacked-one-of-malaysias-biggest-conglomerates/", + "https://www.databreaches.net/advisories-are-published-but-are-enough-entities-reading-them-and-taking-precautions/", + "https://www.databreaches.net/singapore-real-estate-firm-breached-by-altdos/", + "https://www.databreaches.net/sg-vhive-alerts-consumers-to-cyberattack/", + "https://www.databreaches.net/sg-vhive-attackers-escalate-take-control-of-furniture-retailers-email-server/" + ] + }, + "uuid": "2bd6c045-2ec2-438e-af66-0d97a0163290", + "value": "ALTDOS" } ], "version": 312 From 0ad87ccef4baedadb69d4d482d304fde93727c98 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 24 Jun 2024 02:35:58 -0700 Subject: [PATCH 8/9] [threat-actors] Add BlueHornet --- clusters/threat-actor.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8060241..32c1f57 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16256,6 +16256,22 @@ }, "uuid": "2bd6c045-2ec2-438e-af66-0d97a0163290", "value": "ALTDOS" + }, + { + "description": "BlueHornet is an advanced persistent threat group targeting government organizations in China, North Korea, Iran, and Russia. They have compromised and leaked data from other APT groups like Kryptonite Panda and Lazarus Group. BlueHornet has been involved in campaigns such as Operation Renminbi, Operation Ruble, and Operation EUSec, focusing on exfiltrating region-specific data and selling it on the dark web. They have also been known to collaborate with different threat actors and have recently disclosed a zero-day exploit in NGINX 1.18.", + "meta": { + "refs": [ + "https://cyberint.com/blog/research/bluehornet-one-apt-to-terrorize-them-all/", + "https://www.mandiant.com/resources/blog/killnet-new-capabilities-older-tactics", + "https://www.csoonline.com/article/3684668/cyberattacks-against-governments-jumped-95-in-last-half-of-2022-cloudsek-says.html" + ], + "synonyms": [ + "APT49", + "AgainstTheWest" + ] + }, + "uuid": "06a615dc-fa13-4d6a-ac8b-3d2a8c9501c4", + "value": "BlueHornet" } ], "version": 312 From 74476a7ef7edec36566abf9cc7401c1e560d3ec3 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Mon, 24 Jun 2024 12:51:15 +0300 Subject: [PATCH 9/9] [threat actors] update readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6dfc485..28ef9c3 100644 --- a/README.md +++ b/README.md @@ -535,7 +535,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *693* elements +Category: *actor* - source: *MISP Project* - total: *701* elements [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]