From 50624af741e09c5e48340649f773890b9b818358 Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Sat, 25 Feb 2023 20:18:09 +0000 Subject: [PATCH] add DEV-0147 https://twitter.com/MsftSecIntel/status/1625181255754039318 --- clusters/threat-actor.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1df6521..9e230a8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10270,6 +10270,22 @@ ], "uuid": "9687a6a9-0a66-4373-b546-60553857a442", "value": "TA2536" + }, + { + "description": "DEV-0147 is a China-based cyber espionage actor was observed compromising diplomatic targets in South America, a notable expansion of the group's data exfiltration operations that traditionally targeted gov't agencies and think tanks in Asia and Europe. DEV-0147 is known to use tools like ShadowPad, a remote access trojan associated with other China-based actors, to maintain persistent access, and QuasarLoader, a webpack loader, to deploy additional malware. DEV-0147's attacks in South America included post-exploitation activity involving the abuse of on-premises identity infrastructure for recon and lateral movement, and the use of Cobalt Strike for command and control and data exfiltration.", + "meta": { + "cfr-suspected-victims": [ + "South America", + "Asia", + "European Union" + ], + "country": "CN", + "references": [ + "https://twitter.com/MsftSecIntel/status/1625181255754039318" + ] + }, + "uuid": "85f20141-1c8e-49ac-b963-eaa1fb1f4018", + "value": "DEV-0147" } ], "version": 260