From faa4581e2742535bd96b904f2224d7f20496562b Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 12 Nov 2024 06:58:58 -0800 Subject: [PATCH 01/11] [threat-actors] Add EvilWeb --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5601cb9..f38f564 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17260,6 +17260,17 @@ ], "uuid": "75d2d875-6e49-4152-b055-62337b0a22df", "value": "Operation Cobalt Whisper" + }, + { + "description": "EvilWeb is a pro-Russian hacktivist group created in March 2024 that targets American and European entities using a hack-and-leak method alongside DDoS attacks. The group claims to have obtained data from various high-profile American organizations. EvilWeb announced its participation in the #FreeDurov operation on August 25, 2024, and began executing DDoS and hacking attacks. As of September 3, 2024, their Telegram channel has 1,146 members.", + "meta": { + "country": "RU", + "refs": [ + "https://blog.checkpoint.com/security/hacktivists-call-for-release-of-telegram-founder-with-freedurov-ddos-campaign/" + ] + }, + "uuid": "c8ade1b0-befd-490e-8888-656dffee4d1c", + "value": "EvilWeb" } ], "version": 320 From 4c85c7be8cac70c943163b4c5878a7376cbbf54b Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 12 Nov 2024 06:58:58 -0800 Subject: [PATCH 02/11] [threat-actors] Add Evilbyte --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index f38f564..e6865f1 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17271,6 +17271,18 @@ }, "uuid": "c8ade1b0-befd-490e-8888-656dffee4d1c", "value": "EvilWeb" + }, + { + "description": "EvilByte is a hacktivist group that has conducted several high-profile cyber attacks in 2024, including breaching MyFatoorah's banking system in retaliation against Saudi media 1 and targeting Radio 10 Rosario in Argentina 2. The group has also claimed responsibility for breaching Israeli government websites and leaking data of government employees and intelligence agencies 4.\n\n", + "meta": { + "refs": [ + "https://www.cyfirma.com/research/hamas-leadership-assassination-explainer/", + "https://x.com/MonThreat/status/1851901195201163720", + "https://x.com/MonThreat/status/1821478543001293136" + ] + }, + "uuid": "fa65c8b2-50ce-4dea-86a3-8c6b960ce1dd", + "value": "Evilbyte" } ], "version": 320 From f4f7ba626415bef971a6e0e19554c95f431c4787 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 12 Nov 2024 06:58:58 -0800 Subject: [PATCH 03/11] [threat-actors] Add TOXCAR CYBER TEAM --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index e6865f1..7ce2d6d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17283,6 +17283,16 @@ }, "uuid": "fa65c8b2-50ce-4dea-86a3-8c6b960ce1dd", "value": "Evilbyte" + }, + { + "description": "The Toxcar Cyber Team has claimed responsibility for a data leak involving Mastercard, asserting that the attack targeted the U.S. site and providing screenshots as purported evidence. They have also been linked to the sale of an undetectable ransomware designed to bypass major antivirus software. Additionally, the group has shared the source code of Elusive Stealer, a data theft malware. Their activities highlight a focus on data breaches and malware distribution within the cyber threat landscape.", + "meta": { + "refs": [ + "https://socradar.io/mastercard-data-leak-new-fully-undetectable-ransomware-elusive-stealer-source-code-leak-and-more/" + ] + }, + "uuid": "8a67a86f-48d2-4dd0-824c-22fcfa9bf09d", + "value": "TOXCAR CYBER TEAM" } ], "version": 320 From 0634d1fbb99b34f10103997614ac1ff9b69146ce Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 12 Nov 2024 06:58:58 -0800 Subject: [PATCH 04/11] [threat-actors] Add SYLHET GANG-SG --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7ce2d6d..5825953 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17293,6 +17293,17 @@ }, "uuid": "8a67a86f-48d2-4dd0-824c-22fcfa9bf09d", "value": "TOXCAR CYBER TEAM" + }, + { + "description": "SYLHET GANG-SG is a hacktivist group that has targeted critical infrastructure and various entities, including the Central European University and the EU Parliament, often articulating their rationale for attacks. They have been involved in DDoS attacks against Western targets, including the personal website of UK Prime Minister Sunak and the Cyprus police. The group has also declared allegiance to the KillNet 2.0 hacker collective, focusing on threats against allies of Israel.", + "meta": { + "refs": [ + "https://blog.checkpoint.com/security/evolving-cyber-dynamics-amidst-the-israel-hamas-conflict/", + "https://thecyberexpress.com/killnet-2-0-and-sylhet-gang-hackers/" + ] + }, + "uuid": "4f356e2b-8988-4d6b-84e8-d4362764aea0", + "value": "SYLHET GANG-SG" } ], "version": 320 From 5f27835a4c27cc01085f40f31c9b5a82786eb2f0 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 12 Nov 2024 06:58:58 -0800 Subject: [PATCH 05/11] [threat-actors] Add SpaceBears --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5825953..dbe7a2e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17304,6 +17304,17 @@ }, "uuid": "4f356e2b-8988-4d6b-84e8-d4362764aea0", "value": "SYLHET GANG-SG" + }, + { + "description": "SpaceBears is a ransomware group believed to be based in Moscow, Russia, that has taken credit for several high-profile cyberattacks while primarily operating as a Data Broker. They currently list eight organizations on their Data Leak Site, focusing on medium to small-sized targets. Their methods suggest a reliance on basic extortion strategies rather than sophisticated malware tactics, with no advanced techniques or indicators of ransomware detected.", + "meta": { + "country": "RU", + "refs": [ + "https://socradar.io/dark-web-profile-spacebears/" + ] + }, + "uuid": "9900e010-f7ca-4354-b969-a5cd2b02f9d3", + "value": "SpaceBears" } ], "version": 320 From 540ba8ee3b034c3d96baeb2d3a9b466bc83a8b04 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 12 Nov 2024 06:58:58 -0800 Subject: [PATCH 06/11] [threat-actors] Add Nam3L3ss --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index dbe7a2e..a5ae1a3 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17315,6 +17315,16 @@ }, "uuid": "9900e010-f7ca-4354-b969-a5cd2b02f9d3", "value": "SpaceBears" + }, + { + "description": "Nam3L3ss is a threat actor who has leaked data from 25 companies, including over 2.8 million lines of Amazon employee data, which was confirmed to be stolen from a third-party service provider. The actor is distributing this data on BreachForums and claims to have numerous unreleased datasets.", + "meta": { + "refs": [ + "https://databreaches.net/2024/11/12/amazon-confirms-employee-data-breach-after-vendor-hack/" + ] + }, + "uuid": "4251393d-b7a4-4b23-b65a-2b7e8e4d63de", + "value": "Nam3L3ss" } ], "version": 320 From bf1e09487598a87d28437cc5d8d9fac9d1e2096d Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 12 Nov 2024 06:58:59 -0800 Subject: [PATCH 07/11] [threat-actors] Add FrostyNeighbor --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a5ae1a3..083cd33 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17325,6 +17325,17 @@ }, "uuid": "4251393d-b7a4-4b23-b65a-2b7e8e4d63de", "value": "Nam3L3ss" + }, + { + "description": "FrostyNeighbor is a Belarus-aligned APT group known for conducting influence and disinformation campaigns, particularly targeting Ukraine, Poland, and Lithuania. They have compromised various governmental and private sector entities, including the Polish Anti-Doping Agency, through hack-and-leak operations. The group is believed to collaborate with initial access brokers to exploit high-value targets, utilizing techniques such as zero-day vulnerabilities. Their operations are linked to cyber-enabled disinformation campaigns critical of the North Atlantic Alliance.", + "meta": { + "country": "BY", + "refs": [ + "https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-apt-activity-report-q2-2024-q3-2024.pdf" + ] + }, + "uuid": "ca448608-83fa-467d-8637-1cf004fd8e8a", + "value": "FrostyNeighbor" } ], "version": 320 From a1277db62cb3cbf7a5de333b5f5cec5cd8d1b9f8 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 12 Nov 2024 06:58:59 -0800 Subject: [PATCH 08/11] [threat-actors] Add Tstark --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 083cd33..a78540f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17336,6 +17336,17 @@ }, "uuid": "ca448608-83fa-467d-8637-1cf004fd8e8a", "value": "FrostyNeighbor" + }, + { + "description": "TStark is a threat actor identified by X-Ops, associated with a cluster of devices that executed the bookmark buffer overflow exploit targeting CVE-2020-15069 (T1203). The actor exhibited odd telemetry behavior indicative of intermittent VPN usage, switching between IP addresses geolocated to Hong Kong and Chengdu. Analysis revealed malware samples for Mac OS X and iOS, as well as IFRAME injection code exploiting a WebAssembly vulnerability (T1189). Additionally, TStark was linked to the development of libsophos.so and the deployment of malicious payloads across their devices.", + "meta": { + "country": "CN", + "refs": [ + "https://news.sophos.com/en-us/2024/10/31/pacific-rim-timeline/" + ] + }, + "uuid": "7c1af433-bde1-4c35-85d3-e951b5020187", + "value": "Tstark" } ], "version": 320 From 55839a8eddc6e9101ec09aaab1a07a94c68af2cb Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 12 Nov 2024 06:58:59 -0800 Subject: [PATCH 09/11] [threat-actors] Add WageMole --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a78540f..c233606 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17347,6 +17347,18 @@ }, "uuid": "7c1af433-bde1-4c35-85d3-e951b5020187", "value": "Tstark" + }, + { + "description": "WageMole is a North Korean state-sponsored APT that employs social engineering and technology to secure remote job opportunities in Western countries, leveraging stolen personal data from the Contagious Interview campaign. Threat actors create fake identities, including passports and driver's licenses, and prepare study guides for interviews, often utilizing generative AI for well-structured responses. They target small to mid-sized businesses and utilize job platforms like Upwork and Indeed, while employing automation scripts for account creation. WageMole's activities include sharing code within their group and requesting payments through platforms like PayPal to conceal their identity.", + "meta": { + "country": "KP", + "refs": [ + "https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/", + "https://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west" + ] + }, + "uuid": "09aa3edb-e956-43f0-9fcb-a3154b47d202", + "value": "WageMole" } ], "version": 320 From da11e5ca0969bf54c3b10cc47145335a72bcd583 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 12 Nov 2024 06:58:59 -0800 Subject: [PATCH 10/11] [threat-actors] Add APT73 --- clusters/threat-actor.json | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c233606..0298ce3 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17359,6 +17359,27 @@ }, "uuid": "09aa3edb-e956-43f0-9fcb-a3154b47d202", "value": "WageMole" + }, + { + "description": "APT73 is a ransomware group that has publicly identified 12 victims and launched its data leak site on April 25th. The DLS bears a striking resemblance to that of LockBit, likely to leverage LockBit's reputation and attract potential affiliates. The rationale for this design mimicry is unclear, but it may be intended to signal operational parity with LockBit to inspire trust among low-level criminals. APT73 was formed by an alleged former LockBit affiliate following law enforcement's \"Operation Cronos\" in February 2024.", + "meta": { + "refs": [ + "https://quointelligence.eu/2024/06/analyzing-shift-in-ransomware-dynamics/", + "https://www.redpacketsecurity.com/apt73-ransomware-victim-www-baldinger-ag-ch/", + "https://www.redpacketsecurity.com/apt73-ransomware-victim-www-scopeset-de/", + "https://www.redpacketsecurity.com/apt73-ransomware-victim-hpecds-com/", + "https://www.redpacketsecurity.com/apt73-ransomware-victim-www-trinitesolutions-com/", + "https://www.redpacketsecurity.com/apt73-ransomware-victim-modplan-co-uk/", + "https://www.redpacketsecurity.com/apt73-ransomware-victim-mgfsourcing-com/", + "https://www.redpacketsecurity.com/apt73-ransomware-victim-www-legilog-fr/", + "https://www.redpacketsecurity.com/apt73-ransomware-victim-sokkakreatif-com/" + ], + "synonyms": [ + "Eraleig" + ] + }, + "uuid": "84bf7b38-e120-44c9-bfdd-82740593a6c6", + "value": "APT73" } ], "version": 320 From 344e8cc4fdce1e30c15d92456df66bf60c3c77be Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 12 Nov 2024 06:59:01 -0800 Subject: [PATCH 11/11] [threat actors] Update README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 88a39c4..2d7844d 100644 --- a/README.md +++ b/README.md @@ -599,7 +599,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *764* elements +Category: *actor* - source: *MISP Project* - total: *774* elements [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]