From 9c6f106928d2dbaa695beeae7fafc09baaec6049 Mon Sep 17 00:00:00 2001
From: Mathieu Beligon <mathieu@feedly.com>
Date: Tue, 16 Aug 2022 16:47:13 -0700
Subject: [PATCH] [threat actor] Fix aliases related to Lotus Panda

---
 clusters/threat-actor.json | 63 +++++---------------------------------
 1 file changed, 7 insertions(+), 56 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index fd0711b..7c75955 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -805,21 +805,20 @@
           "https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html",
           "https://www.cfr.org/interactive/cyber-operations/apt-30",
           "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf",
+          "https://usa.kaspersky.com/resource-center/threats/naikon-targeted-attacks",
           "https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/",
           "https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/",
           "https://threatconnect.com/blog/tag/naikon/",
           "https://attack.mitre.org/groups/G0019/",
-          "https://www.secureworks.com/research/threat-profiles/bronze-geneva"
+          "https://www.secureworks.com/research/threat-profiles/bronze-geneva",
+          "https://cyware.com/news/chinese-naikon-group-back-with-new-espionage-attack-66a8413d",
+          "https://cluster25.io/2022/04/29/lotus-panda-awake-last-strike/"
         ],
         "synonyms": [
           "PLA Unit 78020",
-          "APT 30",
-          "APT30",
           "Override Panda",
           "Camerashy",
-          "APT.Naikon",
           "Lotus Panda",
-          "Hellsing",
           "BRONZE GENEVA",
           "G0019"
         ]
@@ -911,50 +910,6 @@
       "uuid": "32fafa69-fe3c-49db-afd4-aac2664bcf0d",
       "value": "Lotus Blossom"
     },
-    {
-      "meta": {
-        "attribution-confidence": "50",
-        "country": "CN",
-        "refs": [
-          "http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/"
-        ],
-        "synonyms": [
-          "Elise"
-        ]
-      },
-      "related": [
-        {
-          "dest-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050",
-          "tags": [
-            "estimative-language:likelihood-probability=\"likely\""
-          ],
-          "type": "similar"
-        },
-        {
-          "dest-uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff",
-          "tags": [
-            "estimative-language:likelihood-probability=\"likely\""
-          ],
-          "type": "similar"
-        },
-        {
-          "dest-uuid": "f26144c5-8593-4e78-831a-11f6452d809b",
-          "tags": [
-            "estimative-language:likelihood-probability=\"likely\""
-          ],
-          "type": "similar"
-        },
-        {
-          "dest-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd",
-          "tags": [
-            "estimative-language:likelihood-probability=\"likely\""
-          ],
-          "type": "similar"
-        }
-      ],
-      "uuid": "5e0a7cf2-6107-4d5f-9dd0-9df38b1fcba8",
-      "value": "Lotus Panda"
-    },
     {
       "description": "We have investigated their intrusions since 2013 and have been battling them nonstop over the last year at several large telecommunications and technology companies. The determination of this China-based adversary is truly impressive: they are like a dog with a bone.\nHURRICANE PANDA's preferred initial vector of compromise and persistence is a China Chopper webshell – a tiny and easily obfuscated 70 byte text file that consists of an ‘eval()’ command, which is then used to provide full command execution and file upload/download capabilities to the attackers. This script is typically uploaded to a web server via a SQL injection or WebDAV vulnerability, which is often trivial to uncover in a company with a large external web presence.\nOnce inside, the adversary immediately moves on to execution of a credential theft tool such as Mimikatz (repacked to avoid AV detection). If they are lucky to have caught an administrator who might be logged into that web server at the time, they will have gained domain administrator credentials and can now roam your network at will via ‘net use’ and ‘wmic’ commands executed through the webshell terminal.",
       "meta": {
@@ -3612,7 +3567,8 @@
           "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/",
           "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf",
           "https://attack.mitre.org/wiki/Group/G0013",
-          "https://www.cfr.org/interactive/cyber-operations/apt-30"
+          "https://www.cfr.org/interactive/cyber-operations/apt-30",
+          "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf"
         ],
         "synonyms": [
           "APT30",
@@ -6504,7 +6460,6 @@
           "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
         ],
         "synonyms": [
-          "LOTUS PANDA",
           "G0076"
         ]
       },
@@ -6534,11 +6489,7 @@
         "country": "PK",
         "refs": [
           "https://www.cfr.org/interactive/cyber-operations/stealth-mango-and-tangelo",
-          "https://attack.mitre.org/groups/G0076"
-        ],
-        "synonyms": [
-          "ATK78",
-          "G0076"
+          "https://www.lookout.com/blog/stealth-mango"
         ]
       },
       "uuid": "f82b352e-a9f8-11e8-8be8-fbcf6eddd58c",