From 84fec96df9613a3c684b9b50655054605239c51c Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Mon, 6 Nov 2023 05:26:25 -0800
Subject: [PATCH] [threat-actors] Add Witchetty

---
 clusters/threat-actor.json | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 2ef6b65..00bd751 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -12370,6 +12370,22 @@
       },
       "uuid": "b813c6a2-f8c7-4071-83bd-24c181ff2bd4",
       "value": "RedStinger"
+    },
+    {
+      "description": "Witchetty was first documented by ESET in April 2022, who concluded that it was one of three sub-groups of TA410, a broad cyber-espionage operation with some links to the Cicada group (aka APT10). Witchetty’s activity was characterized by the use of two pieces of malware, a first-stage backdoor known as X4 and a second-stage payload known as LookBack. ESET reported that the group had targeted governments, diplomatic missions, charities, and industrial/manufacturing organizations.",
+      "meta": {
+        "aliases": [
+          "LookingFrog"
+        ],
+        "country": "CN",
+        "refs": [
+          "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-witchetty-apt-group-active-iocs",
+          "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage",
+          "https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/"
+        ]
+      },
+      "uuid": "202f5481-7bae-4a0b-b117-0642ea1dbe65",
+      "value": "Witchetty"
     }
   ],
   "version": 289