From baaf153229b961270a29a1867eb0170b416164da Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Tue, 6 Feb 2024 07:30:06 -0800
Subject: [PATCH] [threat-actors] Add Operation Red Signature

---
 clusters/threat-actor.json | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 5416249..c02a1e5 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -14920,6 +14920,18 @@
       },
       "uuid": "f34962a4-a792-4f23-af23-a8bf0f053fcf",
       "value": "Ferocious Kitten"
+    },
+    {
+      "description": "The threat actors compromised the update server of a remote support solutions provider to deliver a remote access tool called 9002 RAT to their targets of interest through the update process. They carried this out by first stealing the company’s certificate then using it to sign the malware. They also configured the update server to only deliver malicious files if the client is located in the range of IP addresses of their target organisations.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://decoded.avast.io/threatintel/avast-finds-backdoor-on-us-government-commission-network/?utm_source=rss&utm_medium=rss&utm_campaign=avast-finds-backdoor-on-us-government-commission-network",
+          "https://www.trendmicro.com/en_my/research/18/h/supply-chain-attack-operation-red-signature-targets-south-korean-organizations.html"
+        ]
+      },
+      "uuid": "3e9b98d9-0c61-4050-bafa-486622de0080",
+      "value": "Operation Red Signature"
     }
   ],
   "version": 299