From 965f1f5be4b706db8789453438eba5aeddc618f9 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Mon, 24 Jun 2024 02:35:57 -0700
Subject: [PATCH] [threat-actors] Add Markopolo

---
 clusters/threat-actor.json | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index f788692..de92977 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16185,6 +16185,17 @@
       },
       "uuid": "2ac0db88-8e88-447b-ad44-f781326f5884",
       "value": "Void Arachne"
+    },
+    {
+      "description": "Markopolo is a threat actor known for running scams targeting cryptocurrency users through a fake app called Vortax. They use social media and a dedicated blog to legitimize their malicious activities. Markopolo has been linked to a credential-harvesting operation and is agile in pivoting to new scams when detected. The actor leverages shared hosting and C2 infrastructure for their malicious builds.",
+      "meta": {
+        "refs": [
+          "https://www.darkreading.com/remote-workforce/vortax-meeting-software-branding-spreads-infostealers",
+          "https://www.recordedfuture.com/the-travels-of-markopolo-self-proclaimed-meeting-software-vortax-spreads-infostealers"
+        ]
+      },
+      "uuid": "c1e2121a-84c9-4fd0-99ef-917ded9cb3e1",
+      "value": "Markopolo"
     }
   ],
   "version": 312