From f1bbd96d848945e0460159a60f85175a95f893e3 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Thu, 6 Jun 2024 01:27:06 -0700
Subject: [PATCH 1/8] [threat-actors] Add RansomHub

---
 clusters/threat-actor.json | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index ac66f12..7a35c7f 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16007,6 +16007,18 @@
       },
       "uuid": "6149f3b6-510d-4e45-bf88-cd25c7193702",
       "value": "Alpha Spider"
+    },
+    {
+      "description": "RansomHub is a rapidly growing ransomware group believed to be an updated version of the older Knight ransomware. They have been linked to attacks exploiting the Zerologon vulnerability to gain initial access. RansomHub has attracted former affiliates of the ALPHV ransomware group and operates as a Ransomware-as-a-Service with a unique affiliate prepayment model. The group has been active in extorting victims and leaking sensitive data to pressure for ransom payments.",
+      "meta": {
+        "refs": [
+          "https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomhub-knight-ransomware",
+          "https://forescoutstage.wpengine.com/blog/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack/",
+          "https://www.sentinelone.com/blog/ransomware-evolution-how-cheated-affiliates-are-recycling-victim-data-for-profit/"
+        ]
+      },
+      "uuid": "9d218bb3-fc59-43e0-a273-a0a0fb5c463e",
+      "value": "RansomHub"
     }
   ],
   "version": 310

From 4e6fa2191a374b21a320b78052e7756f4fd3044e Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Thu, 6 Jun 2024 01:27:06 -0700
Subject: [PATCH 2/8] [threat-actors] Add Unfading Sea Haze

---
 clusters/threat-actor.json | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 7a35c7f..e76a6a6 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16019,6 +16019,18 @@
       },
       "uuid": "9d218bb3-fc59-43e0-a273-a0a0fb5c463e",
       "value": "RansomHub"
+    },
+    {
+      "description": "Unfading Sea Haze is a threat actor focused on espionage, targeting government and military organizations in the South China Sea region since 2018. They employ spear-phishing emails with malicious attachments to gain initial access, followed by the deployment of custom malware such as Gh0st RAT variants and SharpJSHandler. The group utilizes scheduled tasks and manipulates local administrator accounts for persistence, while also incorporating Remote Monitoring and Management tools into their attacks. Unfading Sea Haze demonstrates a sophisticated and patient approach, remaining undetected for years and showing adaptability through evolving exfiltration tactics and malware arsenal.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://www.securityweek.com/newly-detected-chinese-group-targeting-military-government-entities/",
+          "https://www.bleepingcomputer.com/news/security/unfading-sea-haze-hackers-hide-on-military-and-govt-networks-for-6-years/"
+        ]
+      },
+      "uuid": "58e75098-8edc-48ce-b1de-c1a8647e33d3",
+      "value": "Unfading Sea Haze"
     }
   ],
   "version": 310

From d0162e654eff42ed733f64bbed0b3e5151d1b43c Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Thu, 6 Jun 2024 01:27:06 -0700
Subject: [PATCH 3/8] [threat-actors] Add APT28 aliases

---
 clusters/threat-actor.json | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index e76a6a6..4263776 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -2397,7 +2397,8 @@
           "https://unit42.paloaltonetworks.com/atoms/fighting-ursa/",
           "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag",
           "https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/",
-          "https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
+          "https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html",
+          "https://bluepurple.binaryfirefly.com/p/bluepurple-pulse-week-ending-june-64e"
         ],
         "synonyms": [
           "Pawn Storm",
@@ -2423,7 +2424,9 @@
           "UAC-0028",
           "FROZENLAKE",
           "Sofacy",
-          "Forest Blizzard"
+          "Forest Blizzard",
+          "BlueDelta",
+          "Fancy Bear"
         ],
         "targeted-sector": [
           "Military",

From eec91d14653a9a903a53164009359c948e119574 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Thu, 6 Jun 2024 01:27:06 -0700
Subject: [PATCH 4/8] [threat-actors] Add StucxTeam

---
 clusters/threat-actor.json | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 4263776..1849d48 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16034,6 +16034,17 @@
       },
       "uuid": "58e75098-8edc-48ce-b1de-c1a8647e33d3",
       "value": "Unfading Sea Haze"
+    },
+    {
+      "description": "Stucx is a threat actor known for targeting Israeli systems, including SCADA systems and the Red Alert missile protection system. Stucx Team has also developed a mobile application called MyOPECS for coordinating attacks, which includes features like DDoS attacks and is expected to add more capabilities in the future. Additionally, they have been observed using VPNs and proxy software to conceal their activities and have a history of making threats against those who cooperate with Israel.",
+      "meta": {
+        "refs": [
+          "https://socradar.io/reflections-of-the-israel-palestine-conflict-on-the-cyber-world/",
+          "https://www.darkowl.com/blog-content/2-month-review-of-cyber-activities-in-the-israel-hamas-conflict/"
+        ]
+      },
+      "uuid": "ee13ddb3-e8c0-4568-b56c-82d82c30f48b",
+      "value": "StucxTeam"
     }
   ],
   "version": 310

From b5f257c4e1474c31142ce0c05fbf5ba32473102a Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Thu, 6 Jun 2024 01:27:06 -0700
Subject: [PATCH 5/8] [threat-actors] Add FlyingYeti

---
 clusters/threat-actor.json | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 1849d48..fadfacb 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16045,6 +16045,17 @@
       },
       "uuid": "ee13ddb3-e8c0-4568-b56c-82d82c30f48b",
       "value": "StucxTeam"
+    },
+    {
+      "description": "FlyingYeti is a Russia-aligned threat actor targeting Ukrainian military entities. They conduct reconnaissance activities and launch phishing campaigns using malware like COOKBOX. FlyingYeti exploits the WinRAR vulnerability CVE-2023-38831 to infect targets with malicious payloads. Cloudforce One has successfully disrupted their operations and provided recommendations for defense against their phishing campaigns.",
+      "meta": {
+        "country": "RU",
+        "refs": [
+          "https://blog.cloudflare.com/disrupting-flyingyeti-campaign-targeting-ukraine"
+        ]
+      },
+      "uuid": "1dcbad05-c5b7-4ec3-8920-45f396554f7a",
+      "value": "FlyingYeti"
     }
   ],
   "version": 310

From 7ade514644708d4f0e185dc7613cba8bf071c4b6 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Thu, 6 Jun 2024 01:27:07 -0700
Subject: [PATCH 6/8] [threat-actors] Add SEXi

---
 clusters/threat-actor.json | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index fadfacb..39e2c8d 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16056,6 +16056,18 @@
       },
       "uuid": "1dcbad05-c5b7-4ec3-8920-45f396554f7a",
       "value": "FlyingYeti"
+    },
+    {
+      "description": "SEXi is a ransomware group that targets VMware ESXi servers, encrypting data and demanding ransom payments. They have been observed encrypting virtual machines and backups, causing significant disruptions to services. The group's name is a play on the word \"ESXi,\" indicating a deliberate focus on these systems. SEXi has been linked to other ransomware variants based on the Babuk source code.",
+      "meta": {
+        "refs": [
+          "https://www.cybersecurity-insiders.com/proven-data-restores-powerhosts-vmware-backups-after-sexi-ransomware-attack/",
+          "https://heimdalsecurity.com/blog/powerhosts-esxi-servers-encrypted-with-new-sexi-ransomware/",
+          "https://www.darkreading.com/threat-intelligence/sexi-ransomware-desires-vmware-hypervisors"
+        ]
+      },
+      "uuid": "1bd2034f-a135-4c71-b08f-867b7f9e7998",
+      "value": "SEXi"
     }
   ],
   "version": 310

From 3c7f74913fff75918e6060fb92773be4a5e154fd Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Thu, 6 Jun 2024 01:27:07 -0700
Subject: [PATCH 7/8] [threat-actors] Add LilacSquid

---
 clusters/threat-actor.json | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 39e2c8d..87259aa 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16068,6 +16068,16 @@
       },
       "uuid": "1bd2034f-a135-4c71-b08f-867b7f9e7998",
       "value": "SEXi"
+    },
+    {
+      "description": "LilacSquid is an APT actor targeting a variety of industries worldwide since at least 2021. They use tactics such as exploiting vulnerabilities and compromised RDP credentials to gain access to victim organizations. Their post-compromise activities involve deploying MeshAgent and a customized version of QuasarRAT known as PurpleInk to maintain control over infected systems. LilacSquid has been observed using tools like Secure Socket Funneling for data exfiltration.",
+      "meta": {
+        "refs": [
+          "https://blog.talosintelligence.com/lilacsquid/"
+        ]
+      },
+      "uuid": "efacc258-fa0e-4686-99d2-03bab14a640e",
+      "value": "LilacSquid"
     }
   ],
   "version": 310

From 7c21eb7aa5f94b3699fb5a6e01b82b5a90484c51 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Thu, 6 Jun 2024 01:27:07 -0700
Subject: [PATCH 8/8] [threat-actors] Add Hunt3r Kill3rs

---
 clusters/threat-actor.json | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 87259aa..418b273 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16078,6 +16078,17 @@
       },
       "uuid": "efacc258-fa0e-4686-99d2-03bab14a640e",
       "value": "LilacSquid"
+    },
+    {
+      "description": "Hunt3r Kill3rs is a newly emerged threat group claiming expertise in cyber operations, including ICS breaches and web application vulnerabilities exploitation. They have discussed using Java fuzzing in their exploits and have made unverified claims of joint attacks with other threat actors.",
+      "meta": {
+        "country": "RU",
+        "refs": [
+          "https://socradar.io/dark-web-profile-hunt3r-kill3rs/"
+        ]
+      },
+      "uuid": "4b32ad58-972e-4aa2-be3d-ff875ed06eba",
+      "value": "Hunt3r Kill3rs"
     }
   ],
   "version": 310