diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 9376727..32342ec 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -8007,7 +8007,11 @@
         "refs": [
           "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
           "http://www.secureworks.com/research/threat-profiles/gold-essex",
-          "https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later"
+          "https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later",
+          "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much",
+          "https://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0",
+          "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware",
+          "https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes"
         ],
         "synonyms": [
           "GOLD ESSEX",