diff --git a/clusters/rat.json b/clusters/rat.json
index f9c5e10..dd42ee5 100644
--- a/clusters/rat.json
+++ b/clusters/rat.json
@@ -3480,9 +3480,14 @@
       "description": "The campaign spreads via phishing emails posing as invoices, tax reports, invitations and similar types of messages containing a ZIP archive attachment with a malicious LNK file. When a user opens the malicious LNK file, it abuses the Windows Management Instrumentation Command-line tool and silently downloads a malicious XSL file. The XSL file downloads all of Guildma’s modules and executes a first stage loader, which loads the rest of the modules. The malware is then active and waits for commands from the C&C server and/or specific user interactions, such as opening a webpage of one of the targeted banks.",
       "meta": {
         "refs": [
-          "https://www.securityweek.com/guildma-malware-expands-targets-beyond-brazil"
+          "https://www.securityweek.com/guildma-malware-expands-targets-beyond-brazil",
+          "https://www.securityweek.com/extensive-living-land-hides-stealthy-malware-campaign",
+          "https://isc.sans.edu/diary/rss/28962",
+          "https://otx.alienvault.com/pulse/6303804723bccc7e3caad737?utm_userid=alexandre.dulaunoy@circl.lu&utm_medium=InProduct&utm_source=OTX&utm_content=Email&utm_campaign=new_pulse_from_subscribed"
         ],
-        "synonyms": []
+        "synonyms": [
+          "Astaroth"
+        ]
       },
       "uuid": "833ed94d-97c1-4b57-9634-c27bf42eb867",
       "value": "Guildma"
@@ -3531,5 +3536,5 @@
       "value": "Ragnatela"
     }
   ],
-  "version": 38
+  "version": 39
 }