diff --git a/clusters/tool.json b/clusters/tool.json
index 336953e..006feba 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -2614,6 +2614,15 @@
       },
       "description": "HackingTeam Remote Control System (RCS) Galileo hacking platform",
       "value": "RCS Galileo"
+    },
+    {
+      "meta": {
+        "refs": [
+          "http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/"
+        ]
+      },
+      "description": "Palo Alto Networks has discovered a previously unknown remote access Trojan (RAT) that has been active for over two years. It has a very low volume in this two-year period, totaling roughly 27 total samples. The malware is delivered via an innovative and unique technique: a downloader we are calling Carp uses malicious macros in Microsoft Excel documents to compile embedded C# (C Sharp) Programming Language source code into an executable that in turn is run to deploy the Cardinal RAT malware family. These malicious Excel files use a number of different lures, providing evidence of what attackers are using to entice victims into executing them.",
+      "value": "Cardinal RAT"
     }
   ]
 }