From 44617774b60b026238cf8fbb0c6317b5279316a5 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Tue, 7 Nov 2023 10:37:08 -0800
Subject: [PATCH] [threat-actors] Add TwoSail Junk

---
 clusters/threat-actor.json | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index f167c72..29a66e0 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -12766,6 +12766,17 @@
       },
       "uuid": "6616d2ac-2025-47f8-bb1a-1ece2b627c16",
       "value": "DEV-1028"
+    },
+    {
+      "description": "TwoSail Junk directs visitors to its exploit site by posting links within the threads of forum discussions, or creating new topic threads of their own. To date, dozens of visits were recorded from within Hong Kong, with a couple from Macau. The technical details around the functionality of the iOS implant, called LightSpy, and related infrastructure, reveal a low-to-mid capable actor. However, the iOS implant is a modular and exhaustively functional iOS surveillance framework.",
+      "meta": {
+        "refs": [
+          "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/",
+          "https://securelist.com/apt-annual-review-what-the-worlds-threat-actors-got-up-to-in-2020/99574/"
+        ]
+      },
+      "uuid": "533af03d-e160-4312-a92f-0500055f2b56",
+      "value": "TwoSail Junk"
     }
   ],
   "version": 293