Merge pull request #919 from Mathieu4141/threat-actors/56cfa5a2-e4c0-48a2-8462-12184db0e375

[threat actor] Add Blackwood & aliases for 2 other actors
2025-01-31 17:06:15 +00:00 · 2024-01-31 05:32:34 +01:00 · 2024-01-31 05:32:34 +01:00 · a0497d6aaf
commit a0497d6aaf
parent 262b95fa79 85f22c7d2e
1 changed files with 25 additions and 3 deletions
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -9253,13 +9253,16 @@
          "https://github.com/fireeye/sunburst_countermeasures",
          "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware",
          "https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html",
-          "https://unit42.paloaltonetworks.com/atoms/solarphoenix/"
+          "https://unit42.paloaltonetworks.com/atoms/solarphoenix/",
+          "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/",
+          "https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/"
        ],
        "synonyms": [
          "DarkHalo",
          "StellarParticle",
          "NOBELIUM",
-          "Solar Phoenix"
+          "Solar Phoenix",
+          "Midnight Blizzard"
        ]
      },
      "related": [
@ -14035,7 +14038,14 @@
      "meta": {
        "country": "CN",
        "refs": [
-          "https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/"
+          "https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/",
+          "https://www.rewterz.com/rewterz-news/rewterz-threat-advisory-ivanti-vpn-zero-days-weaponized-by-unc5221-threat-actors-to-deploy-multiple-malware-families-active-iocs/",
+          "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day",
+          "https://quointelligence.eu/2024/01/unc5221-unreported-and-undetected-wirefire-web-shell-variant/",
+          "https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/"
+        ],
+        "synonyms": [
+          "UNC5221"
        ]
      },
      "uuid": "f288f686-b5b3-4c86-9960-5f8fb18709a3",
@ -14113,6 +14123,18 @@
      },
      "uuid": "bbb389f2-344f-4ca8-a9c9-902061f88deb",
      "value": "Cotton Sandstorm"
+    },
+    {
+      "description": "Blackwood is a China-aligned APT group that has been active since at least 2018. They primarily engage in cyberespionage operations targeting individuals and companies in China, Japan, and the United Kingdom. Blackwood utilizes sophisticated techniques such as adversary-in-the-middle attacks to deliver their custom implant, NSPX30, through updates of legitimate software. They also have the capability to hide the location of their command and control servers by intercepting traffic generated by the implant.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/",
+          "https://blog.sonicwall.com/en-us/2024/01/blackwood-apt-group-has-a-new-dll-loader/"
+        ]
+      },
+      "uuid": "46e26e5c-ad74-45aa-a654-1afef67f4566",
+      "value": "Blackwood"
    }
  ],
  "version": 297