From 6c2cb8979fc30cc7e6161d72132801b37af3c5bd Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 1 Dec 2023 16:21:53 -0800 Subject: [PATCH] [threat-actors] Add TunnelSnake --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 49b4085..9b80942 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13602,6 +13602,18 @@ }, "uuid": "89f5a5cb-514f-46db-8959-6bb9aa991e9f", "value": "WildPressure" + }, + { + "description": "The TunnelSnake campaign demonstrates the activity of a sophisticated actor that invests significant resources in designing an evasive toolset and infiltrating networks of high-profile organizations. By leveraging Windows drivers, covert communications channels and proprietary malware, the group behind it maintains a considerable level of stealth. That said, some of its TTPs, like the usage of a commodity webshell and open-source legacy code for loading unsigned drivers, may get detected and in fact were flagged by Kaspersky's product, giving them visibility into the group’s operation.", + "meta": { + "country": "CN", + "refs": [ + "https://www.redpacketsecurity.com/operation-tunnelsnake/", + "https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831/" + ] + }, + "uuid": "f0bb3d3a-c012-4d12-b621-51192977f190", + "value": "TunnelSnake" } ], "version": 295