[threat-actors] Add Storm-1084

2024-11-22 14:57:18 +00:00 · 2024-02-01 11:02:03 -08:00 · 2024-02-01 11:02:03 -08:00 · 6f61a3fc3e
commit 6f61a3fc3e
parent 73d23f6211
1 changed files with 15 additions and 0 deletions
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -14540,6 +14540,21 @@
      },
      "uuid": "0876c327-c82a-45f7-82fa-267c312ceb05",
      "value": "Pink Sandstorm"
+    },
+    {
+      "description": "Storm-1084 is a threat actor that has been observed collaborating with the MuddyWater group. They have used the DarkBit persona to mask their involvement in targeted attacks. Storm-1084 has been linked to destructive actions, including the encryption of on-premise devices and deletion of cloud resources. They have been observed using tools such as Rport, Ligolo, and a customized PowerShell backdoor. The extent of their autonomy or collaboration with other Iranian threat actors is currently unclear.",
+      "meta": {
+        "country": "IR",
+        "refs": [
+          "https://circleid.com/posts/20230824-signs-of-muddywater-developments-found-in-the-dns",
+          "https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/"
+        ],
+        "synonyms": [
+          "DEV-1084"
+        ]
+      },
+      "uuid": "2cc32087-f242-4091-8634-4554635b7a58",
+      "value": "Storm-1084"
    }
  ],
  "version": 298