From c5590ff79aec3e5e2514dd17327a3f9b3ea7d4d1 Mon Sep 17 00:00:00 2001
From: Delta-Sierra <deborah.servili@gmail.com>
Date: Thu, 13 Apr 2023 14:11:36 +0200
Subject: [PATCH 1/2] add PowerMagic backdoor

---
 clusters/backdoor.json | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/clusters/backdoor.json b/clusters/backdoor.json
index 3564edb..7db5f33 100644
--- a/clusters/backdoor.json
+++ b/clusters/backdoor.json
@@ -205,7 +205,16 @@
       },
       "uuid": "2cef78bd-f097-4477-8888-79359042b515",
       "value": "BOLDMOVE"
+    },
+    {
+      "meta": {
+        "refs": [
+          "https://securelist.com/bad-magic-apt/109087/"
+        ]
+      },
+      "uuid": "c866b002-1cb6-4c91-8a8b-f0b0c6ac2b1a",
+      "value": "PowerMagic"
     }
   ],
-  "version": 14
+  "version": 15
 }

From 8e9880d932da00506b7f72a7e7c00d612859c9a5 Mon Sep 17 00:00:00 2001
From: Delta-Sierra <deborah.servili@gmail.com>
Date: Fri, 14 Apr 2023 15:59:42 +0200
Subject: [PATCH 2/2] Add SNOWYAMBER, HALFRIG, QUARTERRIG tools

---
 clusters/tool.json | 38 +++++++++++++++++++++++++++++++++++++-
 1 file changed, 37 insertions(+), 1 deletion(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index 8e8d39e..1bc037b 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -8754,7 +8754,43 @@
       },
       "uuid": "5c7fa5e1-352a-41c3-8e55-744e5fa88793",
       "value": "AHK Bot"
+    },
+    {
+      "description": "A tool first used in October 2022, abusing the Notion7 service to communicate and download further malicious files. Two versions of this tool have been observed.",
+      "meta": {
+        "refs": [
+          "https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services",
+          "https://www.gov.pl/attachment/6e085a2c-ac05-4b62-9423-5d6e9ef730bf",
+          "https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d"
+        ]
+      },
+      "uuid": "0125ef58-2675-426f-90eb-0b189961199a",
+      "value": "SNOWYAMBER"
+    },
+    {
+      "description": "Used for the first time in February 2023. This tool is distinguished from the others by the embedded code that runs the COBALT STRIKE tool.",
+      "meta": {
+        "refs": [
+          "https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services",
+          "https://www.gov.pl/attachment/64193e8d-05e2-4cbf-bb4c-5f58da21fefb",
+          "https://www.gov.pl/attachment/6e085a2c-ac05-4b62-9423-5d6e9ef730bf"
+        ]
+      },
+      "uuid": "f169f0b3-fe4d-40e5-a443-2561c98eb67e",
+      "value": "HALFRIG"
+    },
+    {
+      "description": "A tool first used in March 2023, sharing part of the code with HALFRIG. Two versions of this tool were observed.",
+      "meta": {
+        "refs": [
+          "https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services",
+          "https://www.gov.pl/attachment/6f51bb1a-3ad2-461c-a16d-408915a56f77",
+          "https://www.gov.pl/attachment/6e085a2c-ac05-4b62-9423-5d6e9ef730bf"
+        ]
+      },
+      "uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b",
+      "value": "QUARTERRIG"
     }
   ],
-  "version": 161
+  "version": 162
 }