From 6fe19ac915e575e9a93e70d433f100e66737939c Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Tue, 21 May 2024 06:56:41 -0700
Subject: [PATCH] [threat-actors] Add PhantomCore

---
 clusters/threat-actor.json | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 2d5e637..7785cbd 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -15945,6 +15945,16 @@
       },
       "uuid": "19ddf2b0-9cfb-430f-8919-49205cbec863",
       "value": "Water Orthrus"
+    },
+    {
+      "description": "PhantomCore is a threat actor group known for using a remote access malware called PhantomRAT. They have been observed executing malicious code through specially crafted RAR archives, different from previous attacks exploiting vulnerabilities. The attribution of their campaign to Ukraine is uncertain due to limited visibility inside Russian networks. PhantomCore's use of RAR archives in their attack chain has been previously observed in other threat actor groups like Forest Blizzard.",
+      "meta": {
+        "refs": [
+          "https://therecord.media/russian-researchers-winrar-bug-ukraine-espionage"
+        ]
+      },
+      "uuid": "485947c7-edb6-4a07-9276-2114dc767551",
+      "value": "PhantomCore"
     }
   ],
   "version": 308