From 69fe870803c9882fa946898b4a9925924f8e9a3e Mon Sep 17 00:00:00 2001
From: Thomas Dupuy <thom4s.d@gmail.com>
Date: Fri, 8 May 2020 13:01:48 -0400
Subject: [PATCH 1/3] Add Higaisa Threat Actor

---
 clusters/threat-actor.json | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 93c0aa3..157cc46 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -8182,6 +8182,31 @@
       "uuid": "169187c5-9fbe-42df-ae92-6e35846db021",
       "value": "Nazar"
     }
+    {
+      "description": "The organization often uses important North Korean time nodes such as holidays and North Korea to conduct fishing activities. The bait includes New Year blessings, Lantern blessings, North Korean celebrations, and important news, overseas personnel contact lists and so on. In addition, the attack organization also has the attack capability of the mobile terminal. The targets of the attack also include diplomatic entities related to North Korea (such as embassy officials in various places), government officials, human rights organizations, North Korean residents abroad, and traders. The victim countries currently monitored include China, North Korea, Japan, Nepal, Singapore, Russia, Poland, Switzerland, etc.",
+      "meta": {
+        "cfr-suspected-victims": [
+          "China",
+          "North Korea",
+          "Japan",
+          "Nepal",
+          "Singapore",
+          "Russia",
+          "Poland",
+          "Switzerland"
+        ],
+        "cfr-target-category": [
+          "Government"
+        ],
+        "cfr-suspected-state-sponsor": "Korea (Republic of)",
+        "country": "KR",
+        "refs": [
+          "https://s.tencent.com/research/report/836.html"
+        ],
+      },
+      "uuid": "a9df6cb7-74ff-482f-b23b-ac40e975a31a",
+      "value": "Higaisa"
+    }
   ],
-  "version": 158
+  "version": 159
 }

From fc9505cadf281f2fe5bbb092560e5b26cbf82b35 Mon Sep 17 00:00:00 2001
From: Thomas Dupuy <thom4s.d@gmail.com>
Date: Fri, 8 May 2020 13:29:14 -0400
Subject: [PATCH 2/3] Add Sednit's Exploit-kit Sedkit

---
 clusters/tool.json | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index 378a3ff..af6a544 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -8016,7 +8016,23 @@
       },
       "uuid": "edd9e14c-80f7-4a50-ab85-fa1120c54003",
       "value": "DenesRAT"
+    },
+    {
+      "description": "Sednit's Exploit-Kit",
+      "meta": {
+        "refs": [
+          "https://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/",
+          "https://www.welivesecurity.com/2016/10/20/new-eset-research-paper-puts-sednit-under-the-microscope/"
+        ],
+        "synonyms": [],
+        "type": [
+          "Exploit-Kit"
+        ]
+      },
+      "related": [],
+      "uuid": "a2d1cdd6-1c3d-47b3-803b-9a3fffe2f051",
+      "value": "Sedkit"
     }
   ],
-  "version": 134
+  "version": 135
 }

From 09429eda5af8102e07583f7573c410aeac831d55 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Mon, 11 May 2020 10:20:10 +0200
Subject: [PATCH 3/3] chg: [ta] fix the JSON

---
 clusters/threat-actor.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 157cc46..cfaa0f0 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -8181,10 +8181,11 @@
       },
       "uuid": "169187c5-9fbe-42df-ae92-6e35846db021",
       "value": "Nazar"
-    }
+    },
     {
       "description": "The organization often uses important North Korean time nodes such as holidays and North Korea to conduct fishing activities. The bait includes New Year blessings, Lantern blessings, North Korean celebrations, and important news, overseas personnel contact lists and so on. In addition, the attack organization also has the attack capability of the mobile terminal. The targets of the attack also include diplomatic entities related to North Korea (such as embassy officials in various places), government officials, human rights organizations, North Korean residents abroad, and traders. The victim countries currently monitored include China, North Korea, Japan, Nepal, Singapore, Russia, Poland, Switzerland, etc.",
       "meta": {
+        "cfr-suspected-state-sponsor": "Korea (Republic of)",
         "cfr-suspected-victims": [
           "China",
           "North Korea",
@@ -8198,11 +8199,10 @@
         "cfr-target-category": [
           "Government"
         ],
-        "cfr-suspected-state-sponsor": "Korea (Republic of)",
         "country": "KR",
         "refs": [
           "https://s.tencent.com/research/report/836.html"
-        ],
+        ]
       },
       "uuid": "a9df6cb7-74ff-482f-b23b-ac40e975a31a",
       "value": "Higaisa"