From 710bcf6bd96e5bc3f7830ae3c894ff142bf220d1 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Wed, 2 Oct 2024 02:04:55 -0700
Subject: [PATCH] [threat-actors] Add Storm-0494

---
 clusters/threat-actor.json | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index ff18ffb..1105c38 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16828,6 +16828,17 @@
       ],
       "uuid": "6f7489f5-7edc-4693-b35a-44e79c969678",
       "value": "SloppyLemming"
+    },
+    {
+      "description": "Storm-0494 is a threat actor that facilitates Gootloader infections, which are then exploited by groups like Vice Society to deploy tools such as the Supper backdoor, AnyDesk, and MEGA. They utilize RDP for lateral movement and employ the WMI Provider Host to deploy the INC ransomware payload. Microsoft has identified their activities as part of a campaign targeting the U.S. health sector. Their operations are characterized by financially motivated tactics.",
+      "meta": {
+        "refs": [
+          "https://cisoseries.com/cybersecurity-news-inc-targets-healthcare-providence-schools-cyberattack-apple-ipads-bricked/",
+          "https://x.com/MsftSecIntel/status/1836456406276342215"
+        ]
+      },
+      "uuid": "bed7279c-4ae4-459a-a862-8c69e0cfdb93",
+      "value": "Storm-0494"
     }
   ],
   "version": 315