From af9d1833716be487f9512275399c6c0b6dc18b4a Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Mon, 9 Sep 2024 08:18:23 -0700
Subject: [PATCH] [threat-actors] Add IRLeaks

---
 clusters/threat-actor.json | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index a3b2b9f..9ec4fae 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16601,6 +16601,20 @@
       },
       "uuid": "8356805a-5612-449c-9fdc-cbe536c1f392",
       "value": "UAC-0154"
+    },
+    {
+      "description": "IRLeaks is a threat actor known for significant cyberattacks targeting Iranian organizations, including a major breach of SnappFood, where they exfiltrated 3TB of sensitive data from 20 million user profiles. They have also compromised data from 23 leading Iranian insurance companies, offering over 160 million records for sale. Their operations involve extortion tactics, as seen in the ransom negotiations with Tosan, and they utilize malware such as StealC for data extraction. IRLeaks communicates primarily in Persian and has been active in selling stolen data on cybercriminal marketplaces.",
+      "meta": {
+        "refs": [
+          "https://www.hackread.com/iranian-food-delivery-snappfood-cyber-attack/",
+          "https://cisoseries.com/cyber-security-headlines-google-5b-suit-settled-orbit-chain-loses-80m-fda-cyber-agreement/",
+          "https://www.oodaloop.com/briefs/2024/01/04/pilfered-data-from-iranian-insurance-and-food-delivery-firms-leaked-online/",
+          "https://cybershafarat.com/2024/09/04/major-ir-leaks/",
+          "https://www.scmagazine.com/brief/significant-ransom-payment-by-major-iranian-it-firm-underway"
+        ]
+      },
+      "uuid": "f0a50fa0-25ca-4346-a666-390923f2c5a1",
+      "value": "IRLeaks"
     }
   ],
   "version": 313