From f5d68aa08d2a5fc631887ccbe8162d8aac2a10a1 Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Thu, 23 Mar 2023 08:49:17 +0100
Subject: [PATCH 1/6] Update threat-actor.json

delete ref to APT30 for Naikon
---
 clusters/threat-actor.json | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index c929748..0b964cb 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -669,7 +669,6 @@
         "refs": [
           "https://securelist.com/analysis/publications/69953/the-naikon-apt/",
           "https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html",
-          "https://www.cfr.org/interactive/cyber-operations/apt-30",
           "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf",
           "https://usa.kaspersky.com/resource-center/threats/naikon-targeted-attacks",
           "https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/",
@@ -678,10 +677,7 @@
           "https://www.secureworks.com/research/threat-profiles/bronze-geneva",
           "https://cyware.com/news/chinese-naikon-group-back-with-new-espionage-attack-66a8413d",
           "https://cluster25.io/2022/04/29/lotus-panda-awake-last-strike/",
-          "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/",
-          "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf",
           "https://attack.mitre.org/wiki/Group/G0013",
-          "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf",
           "https://www.mandiant.com/resources/insights/apt-groups",
           "https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf"
         ],

From 87136187772189b451158c7aff0d494feb09289b Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Thu, 23 Mar 2023 09:13:23 +0100
Subject: [PATCH 2/6] Update threat-actor.json

add new ref for sidecopy
---
 clusters/threat-actor.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 0b964cb..034ab59 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -8752,7 +8752,8 @@
           "https://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/",
           "https://www.telsy.com/sidecopy-apt-from-windows-to-nix/",
           "https://blog.talosintelligence.com/2021/07/sidecopy.html",
-          "https://about.fb.com/news/2021/11/taking-action-against-hackers-in-pakistan-and-syria/"
+          "https://about.fb.com/news/2021/11/taking-action-against-hackers-in-pakistan-and-syria/",
+          "https://sebdraven.medium.com/copy-cat-of-apt-sidewinder-1893059ca68d"
         ]
       },
       "uuid": "f6d02ac3-3447-4892-b844-1ef31839e04f",

From a77dc82c0a9f0a369f82d713c3f515528d29e1d7 Mon Sep 17 00:00:00 2001
From: Sebastien Larinier <sebdraven@protonmail.com>
Date: Wed, 19 Apr 2023 15:35:36 +0200
Subject: [PATCH 3/6] Update threat-actor.json

new apt30 group
---
 clusters/threat-actor.json | 38 +++++++++++++++++++++++++++++++++++---
 1 file changed, 35 insertions(+), 3 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index ebc0a36..cd9e0c0 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -671,13 +671,12 @@
           "https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html",
           "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf",
           "https://usa.kaspersky.com/resource-center/threats/naikon-targeted-attacks",
-          "https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/",
+          "https://web.archive.org/web/20210925164035/https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/",
           "https://threatconnect.com/blog/tag/naikon/",
           "https://attack.mitre.org/groups/G0019/",
           "https://www.secureworks.com/research/threat-profiles/bronze-geneva",
           "https://cyware.com/news/chinese-naikon-group-back-with-new-espionage-attack-66a8413d",
           "https://cluster25.io/2022/04/29/lotus-panda-awake-last-strike/",
-          "https://attack.mitre.org/wiki/Group/G0013",
           "https://www.mandiant.com/resources/insights/apt-groups",
           "https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf"
         ],
@@ -716,7 +715,40 @@
         }
       ],
       "uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff",
-      "value": "APT30"
+      "value": "Naikon"
+    },
+    {
+      "description": "APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches",
+      "meta": {
+        "country": "CN",
+        "attribution-confidence": "50",
+        "cfr-suspected-state-sponsor": "China",
+        "refs":[
+          "https://attack.mitre.org/wiki/Group/G0013",
+          "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf",
+          "https://www.mandiant.com/resources/insights/apt-groups"
+        ],
+        
+        "cfr-suspected-victims":[
+          "United States",
+          "South Korea",
+          "Saudi Arabia",
+          "Thailand",
+          "Vietnam",
+          "Malaysia",
+          "India"
+        ],
+        "cfr-target-category":[
+          "Government"
+        ],
+        "synonyms": [
+          "G0013"
+        ]
+        
+
+      },
+      "related": [],
+      "value":"APT30"
     },
     {
       "description": "Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia.",

From 87ef0a400eeef7556547e883e65a92a7d7187a97 Mon Sep 17 00:00:00 2001
From: Sebastien Larinier <sebdraven@protonmail.com>
Date: Wed, 19 Apr 2023 15:42:14 +0200
Subject: [PATCH 4/6] Update threat-actor.json

---
 clusters/threat-actor.json | 22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index cd9e0c0..5fa711e 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -720,16 +720,9 @@
     {
       "description": "APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches",
       "meta": {
-        "country": "CN",
         "attribution-confidence": "50",
         "cfr-suspected-state-sponsor": "China",
-        "refs":[
-          "https://attack.mitre.org/wiki/Group/G0013",
-          "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf",
-          "https://www.mandiant.com/resources/insights/apt-groups"
-        ],
-        
-        "cfr-suspected-victims":[
+        "cfr-suspected-victims": [
           "United States",
           "South Korea",
           "Saudi Arabia",
@@ -738,17 +731,22 @@
           "Malaysia",
           "India"
         ],
-        "cfr-target-category":[
+        "cfr-target-category": [
           "Government"
         ],
+        "country": "CN",
+        "refs": [
+          "https://attack.mitre.org/wiki/Group/G0013",
+          "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf",
+          "https://www.mandiant.com/resources/insights/apt-groups"
+        ],
         "synonyms": [
           "G0013"
         ]
-        
-
       },
       "related": [],
-      "value":"APT30"
+      "uuid": "d3881afe-f781-4c53-9f68-33487a119a59",
+      "value": "APT30"
     },
     {
       "description": "Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia.",

From 1c751b1ea8157f88390edd1039802c06f62f3d06 Mon Sep 17 00:00:00 2001
From: Sebastien Larinier <sebdraven@protonmail.com>
Date: Wed, 19 Apr 2023 17:34:50 +0200
Subject: [PATCH 5/6] Update threat-actor.json

---
 clusters/threat-actor.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 8d488d3..1e0f406 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -735,6 +735,7 @@
           "Government"
         ],
         "country": "CN",
+        "cfr-type-of-incident": "Espionage",
         "refs": [
           "https://attack.mitre.org/wiki/Group/G0013",
           "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf",

From 862badf2c9bdd4856e7139e78ed8a5c2754bb8d2 Mon Sep 17 00:00:00 2001
From: Sebastien Larinier <sebdraven@protonmail.com>
Date: Wed, 19 Apr 2023 17:41:44 +0200
Subject: [PATCH 6/6] Update threat-actor.json

---
 clusters/threat-actor.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 1e0f406..cdbeb69 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -734,8 +734,8 @@
         "cfr-target-category": [
           "Government"
         ],
-        "country": "CN",
         "cfr-type-of-incident": "Espionage",
+        "country": "CN",
         "refs": [
           "https://attack.mitre.org/wiki/Group/G0013",
           "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf",