From 732d00998bac604807369d3fd51e519a165c6f0b Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Thu, 1 Feb 2024 11:01:55 -0800
Subject: [PATCH] [threat-actors] Add Denim Tsunami

---
 clusters/threat-actor.json | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 927b991..fa460f7 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -14137,6 +14137,23 @@
       },
       "uuid": "46e26e5c-ad74-45aa-a654-1afef67f4566",
       "value": "Blackwood"
+    },
+    {
+      "description": "Denim Tsunami is a threat actor group that has been involved in targeted attacks against European and Central American customers. They have been observed using multiple Windows and Adobe 0-day exploits, including one for CVE-2022-22047, which is a privilege escalation vulnerability. Denim Tsunami developed a custom malware called Subzero, which has capabilities such as keylogging, capturing screenshots, data exfiltration, and running remote shells. They have also been associated with the Austrian spyware distributor DSIRF.",
+      "meta": {
+        "country": "AT",
+        "refs": [
+          "https://www.thezdi.com/blog/2023/1/23/activation-context-cache-poisoning-exploiting-csrss-for-privilege-escalation",
+          "https://socradar.io/threats-of-commercialized-malware-knotweed/",
+          "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/"
+        ],
+        "synonyms": [
+          "KNOTWEED",
+          "DSIRF"
+        ]
+      },
+      "uuid": "79a347d9-1938-4550-8836-98e4ed95f77c",
+      "value": "Denim Tsunami"
     }
   ],
   "version": 298