From 5da0c7bd545ee93cf40786c1c535b9d4897943b1 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Tue, 7 Jan 2020 10:42:07 +0100
Subject: [PATCH 1/3] chg: [threat-actor] SideWinder APT group added

---
 clusters/threat-actor.json | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 7500353..415303e 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -7861,7 +7861,18 @@
       },
       "uuid": "f9702059-97f4-4fc0-810b-3041b918f5d7",
       "value": "BRONZE PRESIDENT"
+    },
+    {
+      "description": "An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence that this malware might be authored by an Indian company. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages.",
+      "meta": {
+        "refs": [
+          "https://securelist.com/apt-trends-report-q1-2018/85280/",
+          "https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/"
+        ]
+      },
+      "uuid": "c4ce1174-9462-47e9-8038-794f40a184b3",
+      "value": "SideWinder"
     }
   ],
-  "version": 148
+  "version": 149
 }

From bf4fc92066da32dd174be5be0184249855d80dde Mon Sep 17 00:00:00 2001
From: StefanKelm <StefanKelm@users.noreply.github.com>
Date: Tue, 7 Jan 2020 13:14:08 +0100
Subject: [PATCH 2/3] Update tool.json

Lampion
---
 clusters/tool.json | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index c4144c4..85f2a26 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -7915,7 +7915,17 @@
       },
       "uuid": "a0736351-1721-42ed-a057-19b4b93b585e",
       "value": "NBTScan"
+    },
+    {
+      "description": "New trojan called Lampion has spread using template emails from the Portuguese Government Finance & Tax during the last days of 2019.",
+      "meta": {
+        "refs": [
+          "https://seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax/"
+        ]
+      },
+      "uuid": "dd299e22-bf82-4317-8c81-c6b1f7514571",
+      "value": "Lampion"
     }
   ],
-  "version": 129
+  "version": 130
 }

From 5832893d4f04cbefb50fd186ad30ff6125d76863 Mon Sep 17 00:00:00 2001
From: StefanKelm <StefanKelm@users.noreply.github.com>
Date: Wed, 8 Jan 2020 16:04:22 +0100
Subject: [PATCH 3/3] Update tool.json

LiquorBot
---
 clusters/tool.json | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index 85f2a26..7d3e237 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -7925,7 +7925,17 @@
       },
       "uuid": "dd299e22-bf82-4317-8c81-c6b1f7514571",
       "value": "Lampion"
+    },
+    {
+      "description": "Bitdefender researchers tracked the development of a Mirai-inspired botnet, dubbed LiquorBot, which seems to be actively in development and has recently incorporated Monero cryptocurrency mining features.",
+      "meta": {
+        "refs": [
+          "https://labs.bitdefender.com/2020/01/hold-my-beer-mirai-spinoff-named-liquorbot-incorporates-cryptomining/"
+        ]
+      },
+      "uuid": "e537e165-ea8b-4e75-8813-6519632d3f6a",
+      "value": "LiquorBot"
     }
   ],
-  "version": 130
+  "version": 131
 }