MISP/misp-galaxy
6
0
Fork 0
mirror of https://github.com/MISP/misp-galaxy.git synced 2025-01-31 17:06:15 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge pull request #919 from Mathieu4141/threat-actors/56cfa5a2-e4c0-48a2-8462-12184db0e375

Browse source 
[threat actor] Add Blackwood & aliases for 2 other actors
This commit is contained in:
Alexandre Dulaunoy 2024-01-31 05:32:34 +01:00 committed by GitHub
commit a0497d6aaf
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 25 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
clusters/threat-actor.json
View file

@ -9253,13 +9253,16 @@
"https://github.com/fireeye/sunburst_countermeasures", "https://github.com/fireeye/sunburst_countermeasures",
"https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware", "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware",
"https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html", "https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html",
"https://unit42.paloaltonetworks.com/atoms/solarphoenix/" "https://unit42.paloaltonetworks.com/atoms/solarphoenix/",
"https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/",
"https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/"
], ],
"synonyms": [ "synonyms": [
"DarkHalo", "DarkHalo",
"StellarParticle", "StellarParticle",
"NOBELIUM", "NOBELIUM",
"Solar Phoenix" "Solar Phoenix",
"Midnight Blizzard"
] ]
}, },
"related": [ "related": [
@ -14035,7 +14038,14 @@
"meta": { "meta": {
"country": "CN", "country": "CN",
"refs": [ "refs": [
"https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/" "https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/",
"https://www.rewterz.com/rewterz-news/rewterz-threat-advisory-ivanti-vpn-zero-days-weaponized-by-unc5221-threat-actors-to-deploy-multiple-malware-families-active-iocs/",
"https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day",
"https://quointelligence.eu/2024/01/unc5221-unreported-and-undetected-wirefire-web-shell-variant/",
"https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/"
],
"synonyms": [
"UNC5221"
] ]
}, },
"uuid": "f288f686-b5b3-4c86-9960-5f8fb18709a3", "uuid": "f288f686-b5b3-4c86-9960-5f8fb18709a3",
@ -14113,6 +14123,18 @@
}, },
"uuid": "bbb389f2-344f-4ca8-a9c9-902061f88deb", "uuid": "bbb389f2-344f-4ca8-a9c9-902061f88deb",
"value": "Cotton Sandstorm" "value": "Cotton Sandstorm"
},
{
"description": "Blackwood is a China-aligned APT group that has been active since at least 2018. They primarily engage in cyberespionage operations targeting individuals and companies in China, Japan, and the United Kingdom. Blackwood utilizes sophisticated techniques such as adversary-in-the-middle attacks to deliver their custom implant, NSPX30, through updates of legitimate software. They also have the capability to hide the location of their command and control servers by intercepting traffic generated by the implant.",
"meta": {
"country": "CN",
"refs": [
"https://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/",
"https://blog.sonicwall.com/en-us/2024/01/blackwood-apt-group-has-a-new-dll-loader/"
]
},
"uuid": "46e26e5c-ad74-45aa-a654-1afef67f4566",
"value": "Blackwood"
} }
], ],
"version": 297 "version": 297