From a5ae130916f890d339fa0ccb6b2353aafa5bab39 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Wed, 25 Sep 2019 11:27:03 +0200
Subject: [PATCH] chg: [threat-actor] Evil Eye and POISON CARP

Ref: https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/
Signed-off: Jean-Louis during training session
---
 clusters/threat-actor.json | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index ae4a0be..535720b 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -7719,7 +7719,21 @@
       },
       "uuid": "5f108484-db7f-11e9-aaa4-fb0176425734",
       "value": "Tortoiseshell"
+    },
+    {
+      "description": "Between November 2018 and May 2019, senior members of Tibetan groups received malicious links in individually tailored WhatsApp text exchanges with operators posing as NGO workers, journalists, and other fake personas. The links led to code designed to exploit web browser vulnerabilities to install spyware on iOS and Android devices, and in some cases to OAuth phishing pages. This campaign was carried out by what appears to be a single operator that we call POISON CARP.",
+      "meta": {
+        "refs": [
+          "https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/",
+          "https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/"
+        ],
+        "synonyms": [
+          "Evil Eye"
+        ]
+      },
+      "uuid": "7aa99279-4255-4d26-bb95-12e7156555a0",
+      "value": "POISON CARP"
     }
   ],
-  "version": 133
+  "version": 134
 }