From 5931f51d7a1cc99030026ecb8ac9114b5ad61616 Mon Sep 17 00:00:00 2001
From: Delta-Sierra <deborah.servili@gmail.com>
Date: Thu, 8 Dec 2022 11:31:02 +0100
Subject: [PATCH 1/2] add TAG-53

---
 clusters/ransomware.json   |  5 +++--
 clusters/threat-actor.json | 23 ++++++++++++++++++++++-
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index 8331c35..d1f599c 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -24381,7 +24381,8 @@
           "https://www.varonis.com/blog/alphv-blackcat-ransomware",
           "https://www.intrinsec.com/alphv-ransomware-gang-analysis",
           "https://unit42.paloaltonetworks.com/blackcat-ransomware/",
-          "https://www.cyber.gov.au/acsc/view-all-content/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcat"
+          "https://www.cyber.gov.au/acsc/view-all-content/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcat",
+          "https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/"
         ],
         "synonyms": [
           "ALPHV",
@@ -24724,7 +24725,7 @@
         "ransomnotes": [
           "Your data are stolen and encrypted\nThe data will be published on TOR website if you do not pay the ransom\nYou can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565y1u2c6Lay6yfiebkcbtvvcytyolt33s77xypi7nypxyd.onion/ \n\nYour company id for log in: [REDACTED]"
         ],
-        "ransomnotes-files": [
+        "ransomnotes-filenames": [
           "readme.txt"
         ],
         "ransomnotes-refs": [
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index c5d73f0..3aa75c7 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -9943,7 +9943,28 @@
       },
       "uuid": "171d0590-be92-443f-addb-af5dc2a8034d",
       "value": "Evasive Panda"
+    },
+    {
+      "description": "A Russia-linked threat actor tracked as TAG-53 is running phishing campaigns impersonating various defense, aerospace, and logistic companies, according to The Record by Recorded Future. Recorded Future’s Insikt Group identified overlaps with a threat actor tracked by other companies as Callisto Group, COLDRIVER, and SEABORGIUM.",
+      "meta": {
+        "refs": [
+          "https://blog.knowbe4.com/russian-threat-actor-impersonates-aerospace-and-defense-companies",
+          "https://www.recordedfuture.com/exposing-tag-53-credential-harvesting-infrastructure-for-russia-aligned-espionage-operations?utm_campaign=PostBeyond&utm_source=Twitter&utm_medium=359877&utm_term=Exposing+TAG-53%E2%80%99s+Credential+Harvesting+Infrastructure+Used+for+Russia-Aligned+Espionage+Operations",
+          "https://go.recordedfuture.com/hubfs/reports/cta-2022-1205.pdf"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "fbd279ab-c095-48dc-ba48-4bece3dd5b0f",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "overlaps"
+        }
+      ],
+      "uuid": "e5865ca1-ec95-43e2-954a-d0f3507a9747",
+      "value": "TAG-53"
     }
   ],
-  "version": 255
+  "version": 256
 }

From 3f4edb480baf9fb54952fe4a61df391ac819e732 Mon Sep 17 00:00:00 2001
From: Delta-Sierra <deborah.servili@gmail.com>
Date: Fri, 16 Dec 2022 16:43:50 +0100
Subject: [PATCH 2/2] add Malteiro

---
 clusters/banker.json       | 24 +++++++++++++++++++++++-
 clusters/threat-actor.json | 20 ++++++++++++++++++++
 2 files changed, 43 insertions(+), 1 deletion(-)

diff --git a/clusters/banker.json b/clusters/banker.json
index 38a2f19..c099f15 100644
--- a/clusters/banker.json
+++ b/clusters/banker.json
@@ -1195,7 +1195,29 @@
       },
       "uuid": "fa574138-a3bd-4ebc-a5f7-3b465df7106f",
       "value": "Dark Tequila"
+    },
+    {
+      "description": "Distributed by Malteiro",
+      "meta": {
+        "refs": [
+          "https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/"
+        ],
+        "synonyms": [
+          "URSA"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "ba57c28a-47d0-46ba-a933-9aed69f7b84f",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "delivered-by"
+        }
+      ],
+      "uuid": "d27eea57-e55f-40b1-9690-55c2c8500876",
+      "value": "Malteiro"
     }
   ],
-  "version": 17
+  "version": 18
 }
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 3aa75c7..2c01817 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -9964,6 +9964,26 @@
       ],
       "uuid": "e5865ca1-ec95-43e2-954a-d0f3507a9747",
       "value": "TAG-53"
+    },
+    {
+      "description": "This group of cybercriminals is named Malteiroby SCILabs, they operate and distribute the URSA/Mispadu banking trojan.",
+      "meta": {
+        "refs": [
+          "https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/",
+          "https://blog.scilabs.mx/cyber-threat-profile-malteiro/"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "d27eea57-e55f-40b1-9690-55c2c8500876",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "delivers"
+        }
+      ],
+      "uuid": "ba57c28a-47d0-46ba-a933-9aed69f7b84f",
+      "value": "Malteiro"
     }
   ],
   "version": 256