From 9719122d27ec7fa1ec86e7c9b3b0ca736f3e95fe Mon Sep 17 00:00:00 2001
From: Daniel Plohmann <daniel.plohmann@mailbox.org>
Date: Wed, 19 May 2021 16:47:41 +0200
Subject: [PATCH 1/2] adding Twisted Spider as alias for TA2101 (Maze)

---
 clusters/threat-actor.json | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 4ec9309..d8dabb6 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -7750,7 +7750,14 @@
       "description": "Proofpoint researchers detected campaigns from a relatively new actor, tracked internally as TA2101, targeting German companies and organizations to deliver and install backdoor malware. The actor initiated their campaigns impersonating the Bundeszentralamt fur Steuern, the German Federal Ministry of Finance, with lookalike domains, verbiage, and stolen branding in the emails. For their campaigns in Germany, the actor chose Cobalt Strike, a commercially licensed software tool that is generally used for penetration testing and emulates the type of backdoor framework used by Metasploit, a similar penetration testing tool. Proofpoint researchers have also observed this actor distributing Maze ransomware, employing similar social engineering techniques to those it uses for Cobalt Strike, while also targeting organizations in Italy and impersonating the Agenzia Delle Entrate, the Italian Revenue Agency. We have also recently observed the actor targeting organizations in the United States using the IcedID banking Trojan while impersonating the United States Postal Service (USPS).",
       "meta": {
         "refs": [
-          "https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us"
+          "https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us",
+          "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/",
+          "https://adversary.crowdstrike.com/adversary/twisted-spider/",
+          "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf"
+        ],
+        "synonyms": [
+          "Maze Team",
+          "Twisted Spider"
         ]
       },
       "uuid": "39925aa0-c7bf-4b9b-97d6-7d600329453d",

From 433ea5cb45ae6edcd9836591a6ef18a1ed472be5 Mon Sep 17 00:00:00 2001
From: Daniel Plohmann <daniel.plohmann@mailbox.org>
Date: Wed, 19 May 2021 17:04:58 +0200
Subject: [PATCH 2/2] Twisted Spider -> TWISTED SPIDER

fair point
---
 clusters/threat-actor.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index d8dabb6..6dd0aa0 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -7757,7 +7757,7 @@
         ],
         "synonyms": [
           "Maze Team",
-          "Twisted Spider"
+          "TWISTED SPIDER"
         ]
       },
       "uuid": "39925aa0-c7bf-4b9b-97d6-7d600329453d",