From 48077bd08a2861228e3c27d18e476144485342b1 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 20 Dec 2024 02:55:33 -0800 Subject: [PATCH] [threat-actors] Add Storm-2077 --- clusters/threat-actor.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index e831549..2d88401 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17467,6 +17467,21 @@ }, "uuid": "192be820-af1a-4967-b38c-73326fa9ca9f", "value": "Gorilla" + }, + { + "description": "TAG-100 is a cyber-espionage APT that targets government and private sector organizations globally, exploiting vulnerabilities in internet-facing devices such as Citrix NetScaler and F5 BIG-IP for initial access. The group employs open-source tools like Pantegana and SparkRAT for persistence and post-exploitation activities, including credential theft and email data exfiltration. TAG-100 has compromised entities in at least ten countries, including two Asia-Pacific intergovernmental organizations, and focuses on sectors like education, finance, and local government. Their operations highlight the challenges of attribution due to the use of off-the-shelf tools and techniques that overlap with other state-sponsored groups.", + "meta": { + "country": "CN", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2024/11/22/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon/", + "https://www.recordedfuture.com/research/tag-100-uses-open-source-tools-in-suspected-global-espionage-campaign" + ], + "synonyms": [ + "TAG-100" + ] + }, + "uuid": "e6afdfb4-a5ac-4be1-9cd0-c1801a7f7083", + "value": "Storm-2077" } ], "version": 321