diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index fadfacb..39e2c8d 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16056,6 +16056,18 @@
       },
       "uuid": "1dcbad05-c5b7-4ec3-8920-45f396554f7a",
       "value": "FlyingYeti"
+    },
+    {
+      "description": "SEXi is a ransomware group that targets VMware ESXi servers, encrypting data and demanding ransom payments. They have been observed encrypting virtual machines and backups, causing significant disruptions to services. The group's name is a play on the word \"ESXi,\" indicating a deliberate focus on these systems. SEXi has been linked to other ransomware variants based on the Babuk source code.",
+      "meta": {
+        "refs": [
+          "https://www.cybersecurity-insiders.com/proven-data-restores-powerhosts-vmware-backups-after-sexi-ransomware-attack/",
+          "https://heimdalsecurity.com/blog/powerhosts-esxi-servers-encrypted-with-new-sexi-ransomware/",
+          "https://www.darkreading.com/threat-intelligence/sexi-ransomware-desires-vmware-hypervisors"
+        ]
+      },
+      "uuid": "1bd2034f-a135-4c71-b08f-867b7f9e7998",
+      "value": "SEXi"
     }
   ],
   "version": 310