From 58f3cc2e11f57a92dbc4ea283a792117e88cc596 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:55 -0800 Subject: [PATCH 01/72] [threat-actors] Add Gamaredon Group aliases --- clusters/threat-actor.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index e58977d..927b991 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4561,7 +4561,9 @@ "Shuckworm", "Trident Ursa", "UAC-0010", - "Winterflounder" + "Winterflounder", + "Aqua Blizzard", + "Actinium" ] }, "related": [ From 732d00998bac604807369d3fd51e519a165c6f0b Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:55 -0800 Subject: [PATCH 02/72] [threat-actors] Add Denim Tsunami --- clusters/threat-actor.json | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 927b991..fa460f7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14137,6 +14137,23 @@ }, "uuid": "46e26e5c-ad74-45aa-a654-1afef67f4566", "value": "Blackwood" + }, + { + "description": "Denim Tsunami is a threat actor group that has been involved in targeted attacks against European and Central American customers. They have been observed using multiple Windows and Adobe 0-day exploits, including one for CVE-2022-22047, which is a privilege escalation vulnerability. Denim Tsunami developed a custom malware called Subzero, which has capabilities such as keylogging, capturing screenshots, data exfiltration, and running remote shells. They have also been associated with the Austrian spyware distributor DSIRF.", + "meta": { + "country": "AT", + "refs": [ + "https://www.thezdi.com/blog/2023/1/23/activation-context-cache-poisoning-exploiting-csrss-for-privilege-escalation", + "https://socradar.io/threats-of-commercialized-malware-knotweed/", + "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/" + ], + "synonyms": [ + "KNOTWEED", + "DSIRF" + ] + }, + "uuid": "79a347d9-1938-4550-8836-98e4ed95f77c", + "value": "Denim Tsunami" } ], "version": 298 From 3ed1619c89731427c69609d997e6d6fde69c474b Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:55 -0800 Subject: [PATCH 03/72] [threat-actors] Add APT40 aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index fa460f7..7ceed02 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6386,7 +6386,8 @@ "Red Ladon", "ITG09", "MUDCARP", - "ISLANDDREAMS" + "ISLANDDREAMS", + "Gingham Typhoon" ] }, "related": [ From 550d062c77a37cdb4b582a2fcde594508aea203c Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:55 -0800 Subject: [PATCH 04/72] [threat-actors] Add Blue Tsunami --- clusters/threat-actor.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7ceed02..4f5d076 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14155,6 +14155,21 @@ }, "uuid": "79a347d9-1938-4550-8836-98e4ed95f77c", "value": "Denim Tsunami" + }, + { + "description": "Blue Tsunami, also known as Black Cube, is a cyber mercenary group associated with the private intelligence firm Black Cube. They target individuals in various industries, including human rights, finance, and consulting. Blue Tsunami engages in social engineering and uses techniques such as honeypot profiles, fake jobs, and fake companies to gather human intelligence for their clients. LinkedIn and Microsoft recently took down numerous fake accounts and company pages linked to Blue Tsunami.", + "meta": { + "country": "IL", + "refs": [ + "https://precisionpconline.com/a-unified-front-against-cyber-mercenaries/", + "https://www.microsoft.com/en-us/security/blog/2023/11/09/microsoft-shares-threat-intelligence-at-cyberwarcon-2023/" + ], + "synonyms": [ + "Black Cube" + ] + }, + "uuid": "46104ded-49f5-4440-bd25-e05c1126f0ba", + "value": "Blue Tsunami" } ], "version": 298 From 38fea405f5e70c3a1fa773e746e772abf3c5f931 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:56 -0800 Subject: [PATCH 05/72] [threat-actors] Add DEV-0586 aliases --- clusters/threat-actor.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4f5d076..b75494f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10464,13 +10464,16 @@ "Ukraine" ], "cfr-type-of-incident": "Sabotage", + "country": "RU", "refs": [ "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/", - "https://unit42.paloaltonetworks.com/atoms/ruinousursa/" + "https://unit42.paloaltonetworks.com/atoms/ruinousursa/", + "https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" ], "synonyms": [ - "Ruinous Ursa" + "Ruinous Ursa", + "Cadet Blizzard" ] }, "related": [ From f1d514afc41a6f75b519fdc85de0945a0034fe06 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:56 -0800 Subject: [PATCH 06/72] [threat-actors] Add Cuboid Sandstorm --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b75494f..36f2768 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14173,6 +14173,20 @@ }, "uuid": "46104ded-49f5-4440-bd25-e05c1126f0ba", "value": "Blue Tsunami" + }, + { + "description": "Cuboid Sandstorm is an Iranian threat actor that targeted an Israel-based IT company in July 2021. They gained access to the company's network and used it to compromise downstream customers in the defense, energy, and legal sectors in Israel. The group also utilized custom implants, including a remote access Trojan disguised as RuntimeBroker.exe or svchost.exe, to establish persistence on victim hosts.", + "meta": { + "country": "IR", + "refs": [ + "https://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/" + ], + "synonyms": [ + "DEV-0228" + ] + }, + "uuid": "a4004712-f74b-4c8c-b1fb-bb7229bc2da1", + "value": "Cuboid Sandstorm" } ], "version": 298 From 4cec7a7322486481134078979f3ea5ec14a26720 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:56 -0800 Subject: [PATCH 07/72] [threat-actors] Add Pearl Sleet --- clusters/threat-actor.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 36f2768..ff7bfb8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14187,6 +14187,21 @@ }, "uuid": "a4004712-f74b-4c8c-b1fb-bb7229bc2da1", "value": "Cuboid Sandstorm" + }, + { + "description": "Pearl Sleet is a nation state activity group based in North Korea that has been active since at least 2012. They primarily target defectors from North Korea, media organizations in carrying out their cyber espionage activities.", + "meta": { + "country": "KP", + "refs": [ + "https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/monthly-news-december-2023/ba-p/3998431" + ], + "synonyms": [ + "DEV-0215", + "LAWRENCIUM" + ] + }, + "uuid": "ef0d776a-51de-4965-ba1c-69ed256e0e5d", + "value": "Pearl Sleet" } ], "version": 298 From d491ae01bff6dda0fa758336e9aa90439ebf507d Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:56 -0800 Subject: [PATCH 08/72] [threat-actors] Add Turla aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ff7bfb8..c73619f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2636,7 +2636,8 @@ "ITG12", "Blue Python", "SUMMIT", - "UNC4210" + "UNC4210", + "Secret Blizzard" ], "targeted-sector": [ "Government, Administration", From 54a2b4766d73366aff0c45c5aecf83e1cb2853d6 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:56 -0800 Subject: [PATCH 09/72] [threat-actors] Add HAFNIUM aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c73619f..75e7a0b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9367,7 +9367,8 @@ "ATK233", "G0125", "Operation Exchange Marauder", - "Red Dev 13" + "Red Dev 13", + "Silk Typhoon" ] }, "related": [ From 0ffadd08ecd76d85f8bedfc6a184d426f33fbd6d Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:56 -0800 Subject: [PATCH 10/72] [threat-actors] Add TiltedTemple aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 75e7a0b..5531d00 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13498,7 +13498,8 @@ "https://www.microsoft.com/en-us/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/" ], "synonyms": [ - "DEV-0322" + "DEV-0322", + "Circle Typhoon" ] }, "uuid": "aca6b3d2-1c3b-4674-9de8-975e35723bcf", From 1b6a5e8b1762a5626ac5dd15fc411232e40a6e8e Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:56 -0800 Subject: [PATCH 11/72] [threat-actors] Add APT32 aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5531d00..6f0baff 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4834,7 +4834,8 @@ "TIN WOODLAWN", "BISMUTH", "ATK17", - "G0050" + "G0050", + "Canvas Cyclone" ], "targeted-sector": [ "Dissidents", From 0e47e278795e51451c6fd2d4c4ef58b83d578a72 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:57 -0800 Subject: [PATCH 12/72] [threat-actors] Add Carmine Tsunami --- clusters/threat-actor.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 6f0baff..7750c86 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14206,6 +14206,22 @@ }, "uuid": "ef0d776a-51de-4965-ba1c-69ed256e0e5d", "value": "Pearl Sleet" + }, + { + "description": "Carmine Tsunami is a threat actor linked to an Israel-based private sector offensive actor called QuaDream. QuaDream sells a platform called REIGN to governments for law enforcement purposes, which includes exploits, malware, and infrastructure for data exfiltration from mobile devices. Carmine Tsunami is associated with the iOS malware called KingsPawn and has targeted civil society victims, including journalists, political opposition figures, and NGO workers, in various regions. They utilize domain registrars and inexpensive cloud hosting providers, often using single domains per IP address and deploying free Let's Encrypt SSL certificates.", + "meta": { + "country": "IL", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/", + "https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/" + ], + "synonyms": [ + "DEV-0196", + "QuaDream" + ] + }, + "uuid": "fa76ce6a-f434-4d4a-817f-c4bd0a3f803c", + "value": "Carmine Tsunami" } ], "version": 298 From 8c5dd8672f8ccf28eff736892b038f8edf1cebfe Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:57 -0800 Subject: [PATCH 13/72] [threat-actors] Add APT28 aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7750c86..28557c6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2407,7 +2407,8 @@ "APT-C-20", "UAC-0028", "FROZENLAKE", - "Sofacy" + "Sofacy", + "Forest Blizzard" ], "targeted-sector": [ "Military", From c81b10b3f58b6944fb493dfda6a2c1444bf8b37d Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:57 -0800 Subject: [PATCH 14/72] [threat-actors] Add LAPSUS aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 28557c6..50be072 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10110,7 +10110,8 @@ "synonyms": [ "LAPSUS$", "DEV-0537", - "SLIPPY SPIDER" + "SLIPPY SPIDER", + "Strawberry Tempest" ] }, "related": [ From 05cf259436032bbfa4745b06b2d1db52a6f77e45 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:57 -0800 Subject: [PATCH 15/72] [threat-actors] Add GALLIUM aliases --- clusters/threat-actor.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 50be072..6120a0f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9061,15 +9061,18 @@ { "description": "GALLIUM, is a threat actor believed to be targeting telecommunication providers over the world, mostly South-East Asia, Europe and Africa. To compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss.", "meta": { + "country": "CN", "refs": [ "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://www.youtube.com/watch?v=fBFm2fiEPTg", "https://troopers.de/troopers22/talks/7cv8pz/", - "https://unit42.paloaltonetworks.com/atoms/alloytaurus/" + "https://unit42.paloaltonetworks.com/atoms/alloytaurus/", + "https://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/" ], "synonyms": [ "Red Dev 4", - "Alloy Taurus" + "Alloy Taurus", + "Granite Typhoon" ] }, "related": [ From 4388309aa06024efd674db5c792aa6ba9b78b5ce Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:57 -0800 Subject: [PATCH 16/72] [threat-actors] Add Mustard Tempest --- clusters/threat-actor.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 6120a0f..67981ac 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14227,6 +14227,21 @@ }, "uuid": "fa76ce6a-f434-4d4a-817f-c4bd0a3f803c", "value": "Carmine Tsunami" + }, + { + "description": "Mustard Tempest is a threat actor that primarily uses malvertising as their main technique to gain access to and profile networks. They deploy FakeUpdates, disguised as browser updates or software packages, to lure targets into downloading a ZIP file containing a JavaScript file. Once executed, the JavaScript framework acts as a loader for other malware campaigns, often Cobalt Strike payloads. Mustard Tempest has been associated with the cybercrime syndicate Mustard Tempest, also known as EvilCorp, and has been involved in ransomware attacks using payloads such as WastedLocker, PhoenixLocker, and Macaw.", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "http://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/" + ], + "synonyms": [ + "DEV-0206", + "Purple Vallhund" + ] + }, + "uuid": "3ce9610b-2435-4c41-80d1-3f95a5ff2984", + "value": "Mustard Tempest" } ], "version": 298 From 9756306d987f6d3793171350b54598d638b224a4 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:57 -0800 Subject: [PATCH 17/72] [threat-actors] Add UNC4990 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 67981ac..370cd32 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14242,6 +14242,17 @@ }, "uuid": "3ce9610b-2435-4c41-80d1-3f95a5ff2984", "value": "Mustard Tempest" + }, + { + "description": "UNC4990 is a financially motivated threat actor that has been active since at least 2020. They primarily target users in Italy and rely on USB devices for initial infection. The group has evolved their tactics over time, using encoded text files on popular websites like GitHub and Vimeo to host payloads. They have been observed using sophisticated backdoors like QUIETBOARD and EMPTYSPACE, and have targeted organizations in various industries, particularly in Italy.", + "meta": { + "country": "IT", + "refs": [ + "https://www.mandiant.com/resources/blog/unc4990-evolution-usb-malware" + ] + }, + "uuid": "7db46444-2d27-4922-8a21-98f8509476dc", + "value": "UNC4990" } ], "version": 298 From ac0fdd61ea86a9f3e259c7ecb5cce96ea490392c Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:57 -0800 Subject: [PATCH 18/72] [threat-actors] Add FIN6 aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 370cd32..b4edca6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3874,7 +3874,8 @@ "White Giant", "GOLD FRANKLIN", "ATK88", - "G0037" + "G0037", + "Camouflage Tempest" ] }, "related": [ From d1dae2085bd104d69a6eb5b85c8e379617c39148 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:58 -0800 Subject: [PATCH 19/72] [threat-actors] Add Caramel Tsunami --- clusters/threat-actor.json | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b4edca6..da980d7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14254,6 +14254,25 @@ }, "uuid": "7db46444-2d27-4922-8a21-98f8509476dc", "value": "UNC4990" + }, + { + "description": "Caramel Tsunami is a threat actor that specializes in spyware attacks. They have recently resurfaced with an updated toolset and zero-day exploits, targeting specific victims through watering hole attacks. Candiru has been observed exploiting vulnerabilities in popular browsers like Google Chrome and using third-party signed drivers to gain access to the Windows kernel. They have also been linked to other spyware vendors and have been associated with extensive abuses of their surveillance tools.", + "meta": { + "refs": [ + "https://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/", + "https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/", + "https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/", + "https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/", + "https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/", + "https://www.microsoft.com/en-us/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/" + ], + "synonyms": [ + "SOURGUM", + "Candiru" + ] + }, + "uuid": "062938a2-6fa1-4217-ad73-f5e0b5186966", + "value": "Caramel Tsunami" } ], "version": 298 From 3d51ce84fb062d4c137e75240088aa5c31f17409 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:58 -0800 Subject: [PATCH 20/72] [threat-actors] Add Earth Lusca aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index da980d7..583bb37 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10598,7 +10598,8 @@ "BRONZE UNIVERSITY", "AQUATIC PANDA", "Red Dev 10", - "RedHotel" + "RedHotel", + "Charcoal Typhoon" ] }, "related": [ From 8d024a52b1b08bffdfb840c90b33847bfcf28666 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:58 -0800 Subject: [PATCH 21/72] [threat-actors] Add BRONZE STARLIGHT aliases --- clusters/threat-actor.json | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 583bb37..59565d4 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10735,11 +10735,17 @@ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation", "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility", - "https://twitter.com/cglyer/status/1480734487000453121" + "https://twitter.com/cglyer/status/1480734487000453121", + "https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group", + "https://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/", + "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader" ], "synonyms": [ "SLIME34", - "DEV-0401" + "DEV-0401", + "Cinnamon Tempest", + "Emperor Dragonfly" ] }, "related": [ From 4cbf4353b033f38b121e06eb678407094f24b0a3 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:58 -0800 Subject: [PATCH 22/72] [threat-actors] Add Storm-0867 --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 59565d4..1cabb7a 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14280,6 +14280,20 @@ }, "uuid": "062938a2-6fa1-4217-ad73-f5e0b5186966", "value": "Caramel Tsunami" + }, + { + "description": "Storm-0867 is a threat actor that has been active since 2012 and has targeted various industries and regions. They employ sophisticated phishing campaigns, utilizing social engineering techniques and a phishing as a service platform called Caffeine. Their attacks involve intercepting and manipulating communication between users and legitimate services, allowing them to steal passwords, hijack sign-in sessions, bypass multifactor authentication, and modify authentication methods.", + "meta": { + "country": "EG", + "refs": [ + "https://techcommunity.microsoft.com/t5/microsoft-security-experts-blog/defender-experts-chronicles-a-deep-dive-into-storm-0867/ba-p/3911769" + ], + "synonyms": [ + "DEV-0867" + ] + }, + "uuid": "dc1d0202-8976-4d15-810d-4af0feff6af9", + "value": "Storm-0867" } ], "version": 298 From 8ebdd40e4261787004bc23351f95e2404493101e Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:58 -0800 Subject: [PATCH 23/72] [threat-actors] Add Velvet Tempest --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1cabb7a..20ac754 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14294,6 +14294,20 @@ }, "uuid": "dc1d0202-8976-4d15-810d-4af0feff6af9", "value": "Storm-0867" + }, + { + "description": "Velvet Tempest is a threat actor associated with the BlackCat ransomware group. They have been observed deploying multiple ransomware payloads, including BlackCat, and have targeted various industries such as energy, fashion, tobacco, IT, and manufacturing. Velvet Tempest relies on access brokers to gain network access and utilizes tools like Cobalt Strike Beacons and PsExec for lateral movement and payload staging. They exfiltrate stolen data using a tool called StealBit and frequently disable unprotected antivirus products.", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "http://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/" + ], + "synonyms": [ + "DEV-0504" + ] + }, + "uuid": "209b1452-7062-46f8-9037-3be5f7eda54f", + "value": "Velvet Tempest" } ], "version": 298 From f35df2c9feece209f17eed34fb20b2af8d465c6d Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:58 -0800 Subject: [PATCH 24/72] [threat-actors] Add Sunglow Blizzard --- clusters/threat-actor.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 20ac754..5b9fdcd 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14308,6 +14308,21 @@ }, "uuid": "209b1452-7062-46f8-9037-3be5f7eda54f", "value": "Velvet Tempest" + }, + { + "description": "DEV-0665 is a threat actor associated with the HermeticWiper attacks. Their objective is to disrupt, degrade, and destroy specific resources within a targeted country.", + "meta": { + "country": "RU", + "refs": [ + "https://twitter.com/ESETresearch/status/1503436420886712321", + "https://thehackernews.com/2022/03/second-new-isaacwiper-data-wiper.html" + ], + "synonyms": [ + "DEV-0665" + ] + }, + "uuid": "9c0f0db1-b773-42ff-a6f7-d4b6c1d28ca4", + "value": "Sunglow Blizzard" } ], "version": 298 From 9645731e765e3796e9cff65a36ffda4184b24be2 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:58 -0800 Subject: [PATCH 25/72] [threat-actors] Add Kimsuky aliases --- clusters/threat-actor.json | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5b9fdcd..bfa7a2d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5565,7 +5565,10 @@ "https://us-cert.cisa.gov/ncas/alerts/aa20-301a", "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite", "https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report", - "https://asec.ahnlab.com/en/57873/" + "https://asec.ahnlab.com/en/57873/", + "https://asec.ahnlab.com/en/61082/", + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-north-korean-apt-kimsuky-aka-black-banshee-active-iocs-29/", + "https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/" ], "synonyms": [ "Velvet Chollima", @@ -5573,7 +5576,9 @@ "Thallium", "Operation Stolen Pencil", "G0086", - "APT43" + "APT43", + "Emerald Sleet", + "THALLIUM" ], "targeted-sector": [ "Research - Innovation", From 0668ed368d23d5c4f3c70056f31632814d908d66 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:59 -0800 Subject: [PATCH 26/72] [threat-actors] Add ENERGETIC BEAR aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index bfa7a2d..7751f86 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2733,7 +2733,8 @@ "ATK6", "ITG15", "BROMINE", - "Blue Kraken" + "Blue Kraken", + "Ghost Blizzard" ], "targeted-sector": [ "Energy" From 42bad34d9183ebcffd05136eab8d5c8c283bbe3b Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:59 -0800 Subject: [PATCH 27/72] [threat-actors] Add Vanilla Tempest --- clusters/threat-actor.json | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7751f86..6c8f96e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14329,6 +14329,23 @@ }, "uuid": "9c0f0db1-b773-42ff-a6f7-d4b6c1d28ca4", "value": "Sunglow Blizzard" + }, + { + "description": "Vice Society is a ransomware group that has been active since at least June 2021. They primarily target the education and healthcare sectors, but have also been observed targeting the manufacturing industry. The group has used multiple ransomware families and has been known to utilize PowerShell scripts for their attacks. There are similarities between Vice Society and the Rhysida ransomware group, suggesting a potential connection or rebranding.", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", + "https://fourcore.io/blogs/rhysida-ransomware-history-ttp-adversary-emulation", + "https://detect.fyi/rhysida-ransomware-and-the-detection-opportunities-3599e9a02bb2", + "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/" + ], + "synonyms": [ + "DEV-0832", + "Vice Society" + ] + }, + "uuid": "c4132d43-2405-43ca-9940-a6f78e007861", + "value": "Vanilla Tempest" } ], "version": 298 From de63377c999e77c577fcb2be615602c3266d6412 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:59 -0800 Subject: [PATCH 28/72] [threat-actors] Add APT31 aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 6c8f96e..8a21c31 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7939,7 +7939,8 @@ "ZIRCONIUM", "JUDGMENT PANDA", "BRONZE VINEWOOD", - "Red keres" + "Red keres", + "Violet Typhoon" ] }, "related": [ From 9e940af919a4aa3591e177f2e8b0997de2a453b0 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:59 -0800 Subject: [PATCH 29/72] [threat-actors] Add OilRig aliases --- clusters/threat-actor.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8a21c31..1e0e361 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3985,7 +3985,8 @@ "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf", "https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/", - "https://unit42.paloaltonetworks.com/atoms/evasive-serpens/" + "https://unit42.paloaltonetworks.com/atoms/evasive-serpens/", + "https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/" ], "synonyms": [ "Twisted Kitten", @@ -3997,7 +3998,9 @@ "IRN2", "ATK40", "G0049", - "Evasive Serpens" + "Evasive Serpens", + "Hazel Sandstorm", + "EUROPIUM" ], "targeted-sector": [ "Chemical", From 646206e70a070dc5d70162a350354aeaa295a4cd Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:59 -0800 Subject: [PATCH 30/72] [threat-actors] Add Fox Kitten aliases --- clusters/threat-actor.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1e0e361..0e423a7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9145,7 +9145,9 @@ "synonyms": [ "PIONEER KITTEN", "PARISITE", - "UNC757" + "UNC757", + "Lemon Sandstorm", + "RUBIDIUM" ] }, "related": [ From 837ce843448989439f6e97282a2984a7462790ef Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:59 -0800 Subject: [PATCH 31/72] [threat-actors] Add Lilac Typhoon --- clusters/threat-actor.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0e423a7..f451f33 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14352,6 +14352,22 @@ }, "uuid": "c4132d43-2405-43ca-9940-a6f78e007861", "value": "Vanilla Tempest" + }, + { + "description": "Lilac Typhoon is a threat actor attributed to China. They have been identified as exploiting the Atlassian Confluence RCE vulnerability CVE-2022-26134, which allows for remote code execution. This vulnerability has been used in cryptojacking campaigns and is included in commercial exploit frameworks. Lilac Typhoon has also been involved in deploying various payloads such as Cobalt Strike, web shells, botnets, coin miners, and ransomware.", + "meta": { + "country": "CN", + "refs": [ + "https://securityboulevard.com/2022/10/analysis-of-cisa-releases-advisory-on-top-cves-exploited-chinese-state-sponsored-groups/", + "https://riskybiznews.substack.com/p/risky-biz-news-google-shuts-down", + "https://twitter.com/MsftSecIntel/status/1535417776290111489" + ], + "synonyms": [ + "DEV-0234" + ] + }, + "uuid": "b80be7a7-6d06-4da7-8ae0-302a198e7c73", + "value": "Lilac Typhoon" } ], "version": 298 From 5afd6822155f13096a19cb68e5f1f300a8be12d3 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:00 -0800 Subject: [PATCH 32/72] [threat-actors] Add MosesStaff aliases --- clusters/threat-actor.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index f451f33..3be5954 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10068,7 +10068,9 @@ "https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard" ], "synonyms": [ - "Moses Staff" + "Moses Staff", + "Marigold Sandstorm", + "DEV-0500" ] }, "related": [ From 2dc29dc6c704a93a32e1535830c69158dc809554 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:00 -0800 Subject: [PATCH 33/72] [threat-actors] Add WIZARD SPIDER aliases --- clusters/threat-actor.json | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 3be5954..034e3dc 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7469,12 +7469,21 @@ "https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users", "http://www.secureworks.com/research/threat-profiles/gold-blackburn", "https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf", - "https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf" + "https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf", + "https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/", + "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/" ], "synonyms": [ "TEMP.MixMaster", "GOLD BLACKBURN", - "FIN12" + "FIN12", + "Periwinkle Tempest", + "DEV-0193", + "Storm-0193", + "Trickbot LLC", + "UNC2053", + "Pistachio Tempest", + "DEV-0237" ] }, "related": [ From 6fdd037988c5f20c654b2671f1374057907aa532 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:00 -0800 Subject: [PATCH 34/72] [threat-actors] Add Ruby Sleet --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 034e3dc..9382856 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14379,6 +14379,20 @@ }, "uuid": "b80be7a7-6d06-4da7-8ae0-302a198e7c73", "value": "Lilac Typhoon" + }, + { + "description": "Ruby Sleet is a threat actor linked to North Korea's Ministry of State Security. Cerium has been involved in spear-phishing campaigns, compromising devices, and conducting cyberattacks alongside other North Korean threat actors. They have also targeted companies involved in COVID-19 research and vaccine development.", + "meta": { + "country": "KP", + "refs": [ + "https://blogs.microsoft.com/on-the-issues/2020/11/13/health-care-cyberattacks-covid-19-paris-peace-forum/" + ], + "synonyms": [ + "CERIUM" + ] + }, + "uuid": "03ff54cf-f7d4-4606-a531-2ca6d4fa6a54", + "value": "Ruby Sleet" } ], "version": 298 From da57d8c5fdd3de624163be72a9df2120c5191326 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:00 -0800 Subject: [PATCH 35/72] [threat-actors] Add Bohrium aliases --- clusters/threat-actor.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 9382856..19b83e6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13219,6 +13219,10 @@ "country": "IR", "refs": [ "https://twitter.com/CyberAmyHB/status/1532398956918890500" + ], + "synonyms": [ + "Smoke Sandstorm", + "BOHRIUM" ] }, "uuid": "111efc97-6a93-487b-8cb3-1e890ac51066", From a1ea480023c5978fc44e1568d5c6591a25ffca46 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:00 -0800 Subject: [PATCH 36/72] [threat-actors] Add PARINACOTA aliases --- clusters/threat-actor.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 19b83e6..b788c2c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -11027,6 +11027,9 @@ "meta": { "refs": [ "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/" + ], + "synonyms": [ + "Wine Tempest" ] }, "related": [ From 5ffdc0f868897a4bb0db59e581395de0078e8bcd Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:00 -0800 Subject: [PATCH 37/72] [threat-actors] Add APT33 aliases --- clusters/threat-actor.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b788c2c..4280c88 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1931,7 +1931,8 @@ "https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/", "https://www.cfr.org/interactive/cyber-operations/apt-33", "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf", - "https://dragos.com/adversaries.html" + "https://dragos.com/adversaries.html", + "https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/" ], "synonyms": [ "APT 33", @@ -1941,7 +1942,8 @@ "HOLMIUM", "COBALT TRINITY", "G0064", - "ATK35" + "ATK35", + "Peach Sandstorm" ], "victimology": "Petrochemical, Aerospace, Saudi Arabia" }, From 7a2cfa4f42a2cb175e78a663f7f4179a0122536d Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:00 -0800 Subject: [PATCH 38/72] [threat-actors] Add Silent Chollima aliases --- clusters/threat-actor.json | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4280c88..088da3b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3087,11 +3087,13 @@ "value": "UNION SPIDER" }, { + "description": "Andariel is a threat actor that primarily targets South Korean corporations and institutions. They are believed to collaborate with or operate as a subsidiary organization of the Lazarus threat group. WHOIS utilizes spear phishing attacks, watering hole attacks, and supply chain attacks for initial access. They have been known to exploit vulnerabilities and use malware such as Infostealer and TigerRAT.", "meta": { "attribution-confidence": "50", "country": "KP", "refs": [ - "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf" + "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf", + "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/" ], "synonyms": [ "OperationTroy", @@ -3099,7 +3101,9 @@ "GOP", "WHOis Team", "Andariel", - "Subgroup: Andariel" + "Subgroup: Andariel", + "Onyx Sleet", + "PLUTONIUM" ] }, "uuid": "245c8dde-ed42-4c49-b48b-634e3e21bdd7", From a1dfeca461195951de91050d41184972a9aef953 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:01 -0800 Subject: [PATCH 39/72] [threat-actors] Add Raspberry Typhoon --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 088da3b..8be7577 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14406,6 +14406,20 @@ }, "uuid": "03ff54cf-f7d4-4606-a531-2ca6d4fa6a54", "value": "Ruby Sleet" + }, + { + "description": "Microsoft has tracked Raspberry Typhoon (RADIUM) as the primary threat group targeting nations that ring the South China Sea. Raspberry Typhoon consistently targets government ministries, military entities, and corporate entities connected to critical infrastructure, particularly telecoms. Since January 2023, Raspberry Typhoon has been particularly persistent. When targeting government ministries or infrastructure, Raspberry Typhoon typically conducts intelligence collection and malware execution. In many countries, targets vary from defense and intelligence-related ministries to economic and trade-related ministries", + "meta": { + "country": "CN", + "refs": [ + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1aFyW" + ], + "synonyms": [ + "RADIUM" + ] + }, + "uuid": "37f012df-54d8-4b3d-a288-af47240430ea", + "value": "Raspberry Typhoon" } ], "version": 298 From 447c06447769e684515216852479fa164c4367a5 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:01 -0800 Subject: [PATCH 40/72] [threat-actors] Add Phlox Tempest --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8be7577..94640f8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14420,6 +14420,19 @@ }, "uuid": "37f012df-54d8-4b3d-a288-af47240430ea", "value": "Raspberry Typhoon" + }, + { + "description": "Phlox Tempest is a threat actor responsible for a large-scale click fraud campaign targeting users through YouTube comments and malicious ads. They use ChromeLoader to infect victims' computers with malware, often delivered as ISO image files that victims are tricked into downloading. The attackers aim to profit from clicks generated by malicious browser extensions or node-WebKit installed on the victim's device. Microsoft and other cybersecurity organizations have issued warnings about this ongoing and prevalent campaign.", + "meta": { + "refs": [ + "https://twitter.com/MsftSecIntel/status/1570911625841983489" + ], + "synonyms": [ + "DEV-0796" + ] + }, + "uuid": "dd012c50-4f4f-4485-ac52-294a341f03e5", + "value": "Phlox Tempest" } ], "version": 298 From ba525e4c54af67ca934fa4eb889925db68eb2158 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:01 -0800 Subject: [PATCH 41/72] [threat-actors] Add TA505 aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 94640f8..7377d57 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7393,7 +7393,8 @@ "G0092", "ATK103", "Hive0065", - "CHIMBORAZO" + "CHIMBORAZO", + "Spandex Tempest" ] }, "related": [ From ce3a5dd1825fe1e106c83d7646dc1b52bef9435f Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:01 -0800 Subject: [PATCH 42/72] [threat-actors] Add MuddyWater aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7377d57..5aff159 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6192,7 +6192,8 @@ "COBALT ULSTER", "G0069", "ATK51", - "Boggy Serpens" + "Boggy Serpens", + "Mango Sandstorm" ] }, "related": [ From 76430b605e19b7b6e9f34f00886fd9567e02ba11 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:01 -0800 Subject: [PATCH 43/72] [threat-actors] Add Scattered Spider aliases --- clusters/threat-actor.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5aff159..0c3e757 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12229,7 +12229,9 @@ "Scattered Swine", "Scatter Swine", "Octo Tempest", - "0ktapus" + "0ktapus", + "Storm-0971", + "DEV-0971" ] }, "uuid": "3b238f3a-c67a-4a9e-b474-dc3897e00129", From 475dc882964838e1b9172abd5a0441db5c3a3756 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:01 -0800 Subject: [PATCH 44/72] [threat-actors] Add Storm-1295 --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0c3e757..5b20d5a 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14437,6 +14437,20 @@ }, "uuid": "dd012c50-4f4f-4485-ac52-294a341f03e5", "value": "Phlox Tempest" + }, + { + "description": "Storm-1295 is a threat actor group that operates the Greatness phishing-as-a-service platform. They utilize synchronous relay servers to present targets with a replica of a sign-in page, resembling traditional phishing attacks. Their adversary-in-the-middle capability allows Storm-1295 to offer their services to other attackers. Active since mid-2022, Storm-1295 is tracked by Microsoft and is known for their involvement in the Greatness PhaaS platform.", + "meta": { + "refs": [ + "https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/monthly-news-july-2023/ba-p/3860740", + "https://twitter.com/MsftSecIntel/status/1696273952870367320" + ], + "synonyms": [ + "DEV-1295" + ] + }, + "uuid": "5f485e47-18ad-4302-85a1-0a390fe90dc1", + "value": "Storm-1295" } ], "version": 298 From 681784a3ec22c4bddc9b09bf1ee4c55f1a764e6c Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:01 -0800 Subject: [PATCH 45/72] [threat-actors] Add Storm-1167 --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5b20d5a..ada0724 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14451,6 +14451,20 @@ }, "uuid": "5f485e47-18ad-4302-85a1-0a390fe90dc1", "value": "Storm-1295" + }, + { + "description": "Storm-1167 is a threat actor tracked by Microsoft, known for their use of an AiTM phishing kit. They were responsible for launching an attack that led to Business Email Compromise activity.", + "meta": { + "country": "ID", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/" + ], + "synonyms": [ + "DEV-1167" + ] + }, + "uuid": "17fb8267-44a3-405b-b6b9-ba7fdeb56693", + "value": "Storm-1167" } ], "version": 298 From 72073b2384997c6002992f8e0ca154bd784d08bc Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:01 -0800 Subject: [PATCH 46/72] [threat-actors] Add APT5 aliases --- clusters/threat-actor.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ada0724..9c62dc1 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5194,13 +5194,15 @@ "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-fleetwood", "https://www.mandiant.com/resources/insights/apt-groups", - "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi" + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi", + "http://internal-www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html" ], "synonyms": [ "KEYHOLE PANDA", "MANGANESE", "BRONZE FLEETWOOD", - "TEMP.Bottle" + "TEMP.Bottle", + "Mulberry Typhoon" ], "targeted-sector": [ "Electronic", From 44a446c63f42fe4d6af3cc6775c8ad321f9b6582 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:02 -0800 Subject: [PATCH 47/72] [threat-actors] Add APT15 aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 9c62dc1..6373f82 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1160,7 +1160,8 @@ "BRONZE IDLEWOOD", "NICKEL", "G0004", - "Red Vulture" + "Red Vulture", + "Nylon Typhoon" ], "targeted-sector": [ "Government, Administration" From 0dcbc136a7eff45b3cc89c18e7371d81b8ff1e79 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:02 -0800 Subject: [PATCH 48/72] [threat-actors] Add Opal Sleet --- clusters/threat-actor.json | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 6373f82..d709522 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14468,6 +14468,24 @@ }, "uuid": "17fb8267-44a3-405b-b6b9-ba7fdeb56693", "value": "Storm-1167" + }, + { + "description": "Konni is a threat actor associated with APT37, a North Korean cyber crime group. They have been active since 2012 and are known for their cyber-espionage activities. Konni has targeted various sectors, including education, government, business organizations, and the cryptocurrency industry. They have exploited vulnerabilities such as CVE-2023-38831 and have used malware like KonniRAT to gain control of victim hosts and steal important information.", + "meta": { + "country": "KP", + "refs": [ + "https://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/", + "https://paper.seebug.org/3031/", + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-konni-apt-group-active-iocs-11", + "https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/" + ], + "synonyms": [ + "OSMIUM", + "Konni" + ] + }, + "uuid": "5f71a9ea-511d-4fdd-9807-271ef613f488", + "value": "Opal Sleet" } ], "version": 298 From 22d3ea5ebfa3394785cf5bcd9de6cba8581d01dc Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:02 -0800 Subject: [PATCH 49/72] [threat-actors] Add Storm-1044 --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index d709522..85fe4e9 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14486,6 +14486,19 @@ }, "uuid": "5f71a9ea-511d-4fdd-9807-271ef613f488", "value": "Opal Sleet" + }, + { + "description": "Storm-1044 has been identified as part of a cyber campaign in collaboration with Twisted Spider. They employ a strategic approach, targeting specific endpoints using an initial access trojan called DanaBot. Once they gain access, Storm-1044 initiates lateral movement through Remote Desktop Protocol sign-in attempts, passing control to Twisted Spider. Twisted Spider then compromises the endpoints by introducing the CACTUS ransomware. Microsoft has detected ongoing malvertising attacks involving Storm-1044, leading to the deployment of CACTUS ransomware.", + "meta": { + "refs": [ + "https://twitter.com/MsftSecIntel/status/1730383711437283757" + ], + "synonyms": [ + "DEV-1044" + ] + }, + "uuid": "5ec7a98e-9725-4f87-8a6e-91e2b4ba04ac", + "value": "Storm-1044" } ], "version": 298 From ae82f07fd8456ceaaccf0baf63de88a124e8a342 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:02 -0800 Subject: [PATCH 50/72] [threat-actors] Add Pink Sandstorm --- clusters/threat-actor.json | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 85fe4e9..c51341d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14499,6 +14499,29 @@ }, "uuid": "5ec7a98e-9725-4f87-8a6e-91e2b4ba04ac", "value": "Storm-1044" + }, + { + "description": "Agonizing Serpens is an Iranian-linked APT group that has been active since 2020. They are known for their destructive wiper and fake-ransomware attacks, primarily targeting Israeli organizations in the education and technology sectors. The group has strong connections to Iran's Ministry of Intelligence and Security and has been observed using various tools and techniques to bypass security measures. They aim to steal sensitive information, including PII and intellectual property, and inflict damage by wiping endpoints.", + "meta": { + "country": "IR", + "refs": [ + "https://www.oodaloop.com/archive/2024/01/02/critical-infrastructure-remains-the-brass-ring-for-cyber-attackers-in-2024/", + "https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/", + "https://socprime.com/blog/agonizing-serpens-attack-detection-iran-backed-hackers-target-israeli-tech-firms-and-educational-institutions/", + "https://therecord.media/iran-linked-hackers-target-israel-education-tech-sectors", + "https://www.enigmasoftware.com/moneybirdransomware-removal/", + "https://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/" + ], + "synonyms": [ + "AMERICIUM", + "BlackShadow", + "DEV-0022", + "Agrius", + "Agonizing Serpens" + ] + }, + "uuid": "0876c327-c82a-45f7-82fa-267c312ceb05", + "value": "Pink Sandstorm" } ], "version": 298 From 43f95874692812035790d97922214ebf42915221 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:02 -0800 Subject: [PATCH 51/72] [threat-actors] Add POLONIUM aliases --- clusters/threat-actor.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c51341d..ab881e1 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10461,7 +10461,11 @@ "cfr-type-of-incident": "Espionage", "country": "LB", "refs": [ - "https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/" + "https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/", + "https://www.deepinstinct.com/blog/polonium-apt-group-uncovering-new-elements" + ], + "synonyms": [ + "Plaid Rain" ] }, "related": [ From 49c3e06605dd3ebc27c5bd8f8c5f9304ddfaa55f Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:02 -0800 Subject: [PATCH 52/72] [threat-actors] Add FIN7 aliases --- clusters/threat-actor.json | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ab881e1..9900145 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2916,7 +2916,8 @@ "https://threatintel.blog/OPBlueRaven-Part2/", "https://www.secureworks.com/research/threat-profiles/gold-niagara", "https://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous", - "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape" + "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape", + "https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/" ], "synonyms": [ "CARBON SPIDER", @@ -2926,7 +2927,10 @@ "G0046", "G0008", "Coreid", - "Carbanak" + "Carbanak", + "Sangria Tempest", + "ELBRUS", + "Carbon Spider" ] }, "related": [ From ba7137c5a3258e6da14382557f09a75a52f18fe6 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:03 -0800 Subject: [PATCH 53/72] [threat-actors] Add Lazarus Group aliases --- clusters/threat-actor.json | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 9900145..ceb3fc8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3210,7 +3210,9 @@ "https://blogs.jpcert.or.jp/en/2021/01/Lazarus_tools.html", "https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html", "https://attack.mitre.org/groups/G0082", - "https://attack.mitre.org/groups/G0032" + "https://attack.mitre.org/groups/G0032", + "https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/", + "https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds" ], "synonyms": [ "Operation DarkSeoul", @@ -3241,7 +3243,14 @@ "ATK3", "G0032", "ATK117", - "G0082" + "G0082", + "Citrine Sleet", + "DEV-0139", + "DEV-1222", + "Diamond Sleet", + "ZINC", + "Sapphire Sleet", + "COPERNICIUM" ] }, "related": [ From 73d23f62116498fa64b2f1b5eda442c620112d52 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:03 -0800 Subject: [PATCH 54/72] [threat-actors] Add Sandworm aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ceb3fc8..fbb23b7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2819,7 +2819,8 @@ "IRIDIUM", "Blue Echidna", "FROZENBARENTS", - "UAC-0113" + "UAC-0113", + "Seashell Blizzard" ], "targeted-sector": [ "Electric", From 6f61a3fc3e2dbe9d74b20ba644fad7e0d94396b1 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:03 -0800 Subject: [PATCH 55/72] [threat-actors] Add Storm-1084 --- clusters/threat-actor.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index fbb23b7..2b4b2c8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14540,6 +14540,21 @@ }, "uuid": "0876c327-c82a-45f7-82fa-267c312ceb05", "value": "Pink Sandstorm" + }, + { + "description": "Storm-1084 is a threat actor that has been observed collaborating with the MuddyWater group. They have used the DarkBit persona to mask their involvement in targeted attacks. Storm-1084 has been linked to destructive actions, including the encryption of on-premise devices and deletion of cloud resources. They have been observed using tools such as Rport, Ligolo, and a customized PowerShell backdoor. The extent of their autonomy or collaboration with other Iranian threat actors is currently unclear.", + "meta": { + "country": "IR", + "refs": [ + "https://circleid.com/posts/20230824-signs-of-muddywater-developments-found-in-the-dns", + "https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/" + ], + "synonyms": [ + "DEV-1084" + ] + }, + "uuid": "2cc32087-f242-4091-8634-4554635b7a58", + "value": "Storm-1084" } ], "version": 298 From 83f874da2c7e94d86c13e3e4c575388634e7a8e5 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:03 -0800 Subject: [PATCH 56/72] [threat-actors] Add LYCEUM aliases --- clusters/threat-actor.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2b4b2c8..80fda84 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8426,7 +8426,9 @@ "value": "TA428" }, { + "description": "Lyceum is an Iranian APT group that has been active since at least 2014. They primarily target Middle Eastern governments and organizations in the energy and telecommunications sectors. Lyceum is known for using cyber espionage techniques and has been linked to other Iranian threat groups such as APT34. They have developed and deployed malware families like Shark and Milan, and have been observed using DNS tunneling and HTTPfor command and control communication.", "meta": { + "country": "IR", "refs": [ "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign", "https://www.secureworks.com/research/threat-profiles/cobalt-lyceum", @@ -8438,7 +8440,8 @@ "COBALT LYCEUM", "HEXANE", "Spirlin", - "siamesekitten" + "siamesekitten", + "Storm-0133" ] }, "uuid": "e1b95185-8db6-4f3c-9ffd-1749087d934a", From 972ed33536db63a4a8ac8ba4550aa6bf72e1553c Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:03 -0800 Subject: [PATCH 57/72] [threat-actors] Add TA2101 aliases --- clusters/threat-actor.json | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 80fda84..7576af3 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8700,18 +8700,23 @@ { "description": "Proofpoint researchers detected campaigns from a relatively new actor, tracked internally as TA2101, targeting German companies and organizations to deliver and install backdoor malware. The actor initiated their campaigns impersonating the Bundeszentralamt fur Steuern, the German Federal Ministry of Finance, with lookalike domains, verbiage, and stolen branding in the emails. For their campaigns in Germany, the actor chose Cobalt Strike, a commercially licensed software tool that is generally used for penetration testing and emulates the type of backdoor framework used by Metasploit, a similar penetration testing tool. Proofpoint researchers have also observed this actor distributing Maze ransomware, employing similar social engineering techniques to those it uses for Cobalt Strike, while also targeting organizations in Italy and impersonating the Agenzia Delle Entrate, the Italian Revenue Agency. We have also recently observed the actor targeting organizations in the United States using the IcedID banking Trojan while impersonating the United States Postal Service (USPS).", "meta": { + "country": "RU", "refs": [ "https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "https://adversary.crowdstrike.com/adversary/twisted-spider/", "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", "https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic", - "http://www.secureworks.com/research/threat-profiles/gold-village" + "http://www.secureworks.com/research/threat-profiles/gold-village", + "https://www.cysecurity.news/2023/12/twisted-spiders-dangerous-cactus.html" ], "synonyms": [ "Maze Team", "TWISTED SPIDER", - "GOLD VILLAGE" + "GOLD VILLAGE", + "Storm-0216", + "DEV-0216", + "Twisted Spider" ] }, "uuid": "39925aa0-c7bf-4b9b-97d6-7d600329453d", From 68e0ffb0066d82ffc53a28041f99ae72a79502d8 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:04 -0800 Subject: [PATCH 58/72] [threat-actors] Add Storm-1099 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7576af3..5224629 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14563,6 +14563,17 @@ }, "uuid": "2cc32087-f242-4091-8634-4554635b7a58", "value": "Storm-1084" + }, + { + "description": "Storm-1099 is a sophisticated Russia-affiliated influence actor that has been conducting pro-Russia influence operations targeting international supporters of Ukraine since Spring 2022. They are known for their website forgery operation called \"Doppelganger\" and have been actively spreading false information. They have been involved in pushing the claim that Hamas acquired Ukrainian weapons for an attack on Israel. Storm-1099 has also been implicated in amplifying images of graffiti in Paris, suggesting possible Russian involvement and aligning with Russia's Active Measures playbook.", + "meta": { + "country": "RU", + "refs": [ + "https://blogs.microsoft.com/on-the-issues/2023/12/07/russia-ukraine-digital-threat-celebrity-cameo-mtac/" + ] + }, + "uuid": "b05a2a56-08dc-4827-9aef-aaade91016a4", + "value": "Storm-1099" } ], "version": 298 From de04fe33e16673b5520b697baec0b3ba30993482 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:04 -0800 Subject: [PATCH 59/72] [threat-actors] Add Storm-1286 --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5224629..4980aed 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14574,6 +14574,16 @@ }, "uuid": "b05a2a56-08dc-4827-9aef-aaade91016a4", "value": "Storm-1099" + }, + { + "description": "Storm-1286 is a threat actor that engages in large-scale spamming activities, primarily targeting user accounts without multifactor authentication enabled. They employ password spraying attacks to compromise these accounts and utilize legacy authentication protocols like IMAP and SMTP. In the past, they have attempted to compromise admin accounts and create new LOB applications with high administrative permissions to spread spam. Despite previous actions taken by Microsoft Threat Intelligence, Storm-1286 continues to explore new methods to establish a high-scale spamming platform within victim organizations using non-privileged users.", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/" + ] + }, + "uuid": "375988ab-91b9-419e-8646-a4783b931288", + "value": "Storm-1286" } ], "version": 298 From 3fda32a0d6946e52c36449292a1462fe1b7ebdcd Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:04 -0800 Subject: [PATCH 60/72] [threat-actors] Add Ghostwriter aliases --- clusters/threat-actor.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4980aed..6dfbcc5 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9488,7 +9488,9 @@ "synonyms": [ "UNC1151", "TA445", - "PUSHCHA" + "PUSHCHA", + "Storm-0257", + "DEV-0257" ] }, "related": [ From 3a193291b9e03c359f96811f77883aa0cdf85d3d Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:04 -0800 Subject: [PATCH 61/72] [threat-actors] Add Storm-1101 --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 6dfbcc5..578df6a 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14586,6 +14586,19 @@ }, "uuid": "375988ab-91b9-419e-8646-a4783b931288", "value": "Storm-1286" + }, + { + "description": "DEV-1101 is a threat actor tracked by Microsoft who is responsible for developing and advertising phishing kits, specifically AiTM phishing kits. These kits are capable of bypassing multifactor authentication and are available for purchase or rent by other cybercriminals. DEV-1101 offers an open-source kit with various enhancements, such as mobile device management and CAPTCHA evasion. Their tool has been used in high-volume phishing campaigns by multiple actors, including DEV-0928, and is sold for $300 with VIP licenses available for $1,000.", + "meta": { + "refs": [ + "http://www.microsoft.com/en-us/security/blog/2023/03/13/dev-1101-enables-high-volume-aitm-campaigns-with-open-source-phishing-kit/" + ], + "synonyms": [ + "DEV-1101" + ] + }, + "uuid": "8081af2c-442f-4487-9cf7-022cbe010b8f", + "value": "Storm-1101" } ], "version": 298 From a6c451be2dc590174baac07456bfb6a2efc82496 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:04 -0800 Subject: [PATCH 62/72] [threat-actors] Add Storm-0381 --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 578df6a..7776a1b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14599,6 +14599,20 @@ }, "uuid": "8081af2c-442f-4487-9cf7-022cbe010b8f", "value": "Storm-1101" + }, + { + "description": "Storm-0381 is a threat actor identified by Microsoft as a Russian cybercrime group. They are known for their use of malvertising to deploy Magniber, a type of ransomware.", + "meta": { + "country": "RU", + "refs": [ + "https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2023" + ], + "synonyms": [ + "DEV-0381" + ] + }, + "uuid": "874860fe-5aee-4c94-aee1-2166c225c41e", + "value": "Storm-0381" } ], "version": 298 From fa7709e63c4731f96432b0845a67cf1f368765c5 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:04 -0800 Subject: [PATCH 63/72] [threat-actors] Add Storm-0530 --- clusters/threat-actor.json | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7776a1b..a99b741 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14613,6 +14613,25 @@ }, "uuid": "874860fe-5aee-4c94-aee1-2166c225c41e", "value": "Storm-0381" + }, + { + "description": "H0lyGh0st is a North Korean threat actor that has been active since June 2021. They are responsible for developing and deploying the H0lyGh0st ransomware, which targets small-to-medium businesses in various sectors. The group employs \"double extortion\" tactics, encrypting data and threatening to publish it if the ransom is not paid. There are connections between H0lyGh0st and the PLUTONIUM APT group, indicating a possible affiliation.", + "meta": { + "country": "KP", + "refs": [ + "https://ics-cert.kaspersky.com/publications/reports/2023/03/24/apt-attacks-on-industrial-organizations-in-h2-2022/", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a", + "https://blogs.blackberry.com/en/2022/08/h0lygh0st-ransomware", + "https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/", + "https://www.picussecurity.com/resource/h0lygh0st-north-korean-threat-group-strikes-back-with-new-ransomware" + ], + "synonyms": [ + "DEV-0530", + "H0lyGh0st" + ] + }, + "uuid": "47945864-c233-46e7-8b96-b427b97b0ebf", + "value": "Storm-0530" } ], "version": 298 From b645975616b8e6ce3a80ad6845d6bf57698469ca Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:04 -0800 Subject: [PATCH 64/72] [threat-actors] Add DarkHotel aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a99b741..517daf9 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -372,7 +372,8 @@ "TUNGSTEN BRIDGE", "T-APT-02", "G0012", - "ATK52" + "ATK52", + "Zigzag Hail" ] }, "related": [ From b3f440203aac719bb21f812a9d66a995ce71123a Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:05 -0800 Subject: [PATCH 65/72] [threat-actors] Add Storm-0539 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 517daf9..4e618c4 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14633,6 +14633,17 @@ }, "uuid": "47945864-c233-46e7-8b96-b427b97b0ebf", "value": "Storm-0530" + }, + { + "description": "Storm-0539 is a financially motivated threat actor that has been active since at least 2021. They primarily target retail organizations for gift card fraud and theft. Their tactics include phishing via emails or SMS to distribute malicious links that redirect users to phishing pages designed to steal credentials and session tokens. Once access is gained, Storm-0539 registers a device for secondary authentication prompts, bypassing multi-factor authentication and gaining persistence in the environment. They also collect emails, contact lists, and network configurations for further attacks against the same organizations.", + "meta": { + "refs": [ + "https://www.rewterz.com/rewterz-news/rewterz-threat-update-microsoft-warns-of-emerging-threat-by-storm-0539-behind-gift-card-frauds/", + "https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/monthly-news-november-2023/ba-p/3970796" + ] + }, + "uuid": "760b350c-522e-432d-80c5-7aab0eaf8873", + "value": "Storm-0539" } ], "version": 298 From 991765a1c749d2149bfeddf04a12d387816fc7c6 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:05 -0800 Subject: [PATCH 66/72] [threat-actors] Add SaintBear aliases --- clusters/threat-actor.json | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4e618c4..d95aae4 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10269,6 +10269,7 @@ { "description": "A group targeting UA state organizations using the GraphSteel and GrimPlant malware.", "meta": { + "country": "RU", "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphsteel", "https://cert.gov.ua/article/38374", @@ -10277,7 +10278,8 @@ "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", "https://unit42.paloaltonetworks.com/atoms/nascentursa/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer", - "https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/" + "https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/", + "https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" ], "synonyms": [ "UNC2589", @@ -10285,7 +10287,10 @@ "UAC-0056", "Nascent Ursa", "Nodaria", - "FROZENVISTA" + "FROZENVISTA", + "Storm-0587", + "DEV-0587", + "Saint Bear" ] }, "uuid": "c67d3dfb-ab39-46e1-a971-5efdfe6a5b9f", From eb8db810c0c7d0d58370a043e039b12f380b2411 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:05 -0800 Subject: [PATCH 67/72] [threat-actors] Add Storm-1152 --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index d95aae4..674a47e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14649,6 +14649,19 @@ }, "uuid": "760b350c-522e-432d-80c5-7aab0eaf8873", "value": "Storm-0539" + }, + { + "description": "Storm-1152, a cybercriminal group, was recently taken down by Microsoft for illegally reselling Outlook accounts. They operated by creating approximately 750 million fraudulent Microsoft accounts and earned millions of dollars in illicit revenue. Storm-1152 also offered CAPTCHA-solving services and was connected to ransomware and extortion groups. Microsoft obtained a court order to seize their infrastructure and domains, disrupting their operations.", + "meta": { + "country": "VN", + "refs": [ + "https://securityboulevard.com/2023/12/microsoft-storm-1152-crackdown-stopping-threat-actors/", + "https://blogs.microsoft.com/on-the-issues/2023/12/13/cybercrime-cybersecurity-storm-1152-fraudulent-accounts/", + "https://www.rewterz.com/rewterz-news/rewterz-threat-update-microsoft-warns-of-emerging-threat-by-storm-0539-behind-gift-card-frauds/" + ] + }, + "uuid": "e18dca82-0524-4338-9a66-e13e67c81ac4", + "value": "Storm-1152" } ], "version": 298 From 7607dc70cfe4e25285280072d90a23bc81f43022 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:05 -0800 Subject: [PATCH 68/72] [threat-actors] Add Storm-1567 --- clusters/threat-actor.json | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 674a47e..0a22070 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14662,6 +14662,23 @@ }, "uuid": "e18dca82-0524-4338-9a66-e13e67c81ac4", "value": "Storm-1152" + }, + { + "description": "Storm-1567 is the threat actor behind the Ransomware-as-a-Service Akira. They attacked Swedish organizations in March 2023. This ransomware utilizes the ChaCha encryption algorithm, PowerShell, and Windows Management Instrumentation (WMI). Microsoft's Defender for Endpoint successfully blocked a large-scale hacking campaign carried out by Storm-1567, highlighting the effectiveness of their security solution.", + "meta": { + "refs": [ + "https://news.sophos.com/en-us/2023/12/20/cryptoguard-an-asymmetric-approach-to-the-ransomware-battle/", + "https://securelist.com/crimeware-report-fakesg-akira-amos/111483/", + "https://www.trellix.com/en-us/about/newsroom/stories/research/akira-ransomware.html", + "https://blog.sekoia.io/sekoia-io-mid-2023-ransomware-threat-landscape", + "https://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/" + ], + "synonyms": [ + "Akira" + ] + }, + "uuid": "3a912680-6f38-4fe7-9941-744f0e2280b3", + "value": "Storm-1567" } ], "version": 298 From 0b571d7e76de1e4f94bf6b2cb6d10d5c126fb058 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:05 -0800 Subject: [PATCH 69/72] [threat-actors] Add Storm-0829 --- clusters/threat-actor.json | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0a22070..95b69bf 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14679,6 +14679,23 @@ }, "uuid": "3a912680-6f38-4fe7-9941-744f0e2280b3", "value": "Storm-1567" + }, + { + "description": "Nwgen is a group that focuses on data exfiltration and ransomware activities. They have been found to share techniques with other threat groups such as Karakurt, Lapsus$, and Yanluowang. Nwgen has been observed carrying out attacks and deploying ransomware, encrypting files and demanding a ransom of $150,000 in Monero cryptocurrency for the decryption software.", + "meta": { + "refs": [ + "https://www.enigmasoftware.com/nwgenransomware-removal/", + "https://www.databreaches.net/east-tennessee-childrens-hospital-updates-information-on-ransomware-incident/", + "https://readme.security/cybercrime-is-more-of-a-threat-than-nation-state-hackers-6f6cccf47721", + "https://twitter.com/cglyer/status/1546297609215696897" + ], + "synonyms": [ + "DEV-0829", + "Nwgen Team" + ] + }, + "uuid": "3e595289-05b8-43fc-bd88-f8650436447f", + "value": "Storm-0829" } ], "version": 298 From 1589a943a9e596bb2e466d3c89d7e843b1ac7b2b Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:05 -0800 Subject: [PATCH 70/72] [threat-actors] Add Storm-1674 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 95b69bf..b8eae0d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14696,6 +14696,17 @@ }, "uuid": "3e595289-05b8-43fc-bd88-f8650436447f", "value": "Storm-0829" + }, + { + "description": "Storm-1674 is an access broker known for using tools based on the publicly available TeamsPhisher tool to distribute DarkGate malware. Storm-1674 campaigns have typically relied on phishing lures sent over Teams with malicious attachments, such as ZIP files containing a LNK file that ultimately drops DarkGate and Pikabot. In September 2023, Microsoft observed handoffs from Storm-1674 to ransomware operators that have led to Black Basta ransomware deployment.", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/", + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-widely-abused-msix-app-installer-disabled-by-microsoft-active-iocs/" + ] + }, + "uuid": "eb7b5ed7-cf9d-4c72-8f89-a2ee070b89b6", + "value": "Storm-1674" } ], "version": 298 From a42dc67fb6edc237fe925bab71525ae3d50e717e Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:05 -0800 Subject: [PATCH 71/72] [threat-actors] Add Storm-0835 --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b8eae0d..26012d3 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14707,6 +14707,16 @@ }, "uuid": "eb7b5ed7-cf9d-4c72-8f89-a2ee070b89b6", "value": "Storm-1674" + }, + { + "description": "Cybercriminals have launched a phishing campaign targeting senior executives in U.S. firms, using the EvilProxy phishing toolkit for credential harvesting and account takeover attacks. This campaign, initiated in July 2023, primarily targets sectors such as banking, financial services, insurance, property management, real estate, and manufacturing. The attackers exploit an open redirection vulnerability on the job search platform \"indeed.com,\" redirecting victims to malicious phishing pages impersonating Microsoft. EvilProxy functions as a reverse proxy, intercepting credentials, two-factor authentication codes, and session cookies to hijack accounts. The threat actors, known as Storm-0835 by Microsoft, have hundreds of customers who pay monthly fees for their services, making attribution difficult. The attacks involve sending phishing emails with deceptive links to Indeed, redirecting victims to EvilProxy pages for credential harvesting.", + "meta": { + "refs": [ + "https://www.linkedin.com/pulse/cyber-criminals-using-evilproxy-phishing-kit-target-senior-soral/" + ] + }, + "uuid": "2da09284-be56-49cd-ad18-993a6eb17af2", + "value": "Storm-0835" } ], "version": 298 From e497ec2b381ac764c3209972a4c6bed05392ead0 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:02:05 -0800 Subject: [PATCH 72/72] [threat-actors] Add Storm-1575 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 26012d3..a8893d0 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14717,6 +14717,17 @@ }, "uuid": "2da09284-be56-49cd-ad18-993a6eb17af2", "value": "Storm-0835" + }, + { + "description": "Storm-1575 is a threat actor identified by Microsoft as being involved in phishing campaigns using the Dadsec platform. They utilize hundreds of Domain Generated Algorithm domains to host credential harvesting pages and target global organizations to steal Microsoft 365 credentials.", + "meta": { + "refs": [ + "https://www.bridewell.com/insights/blogs/detail/analysing-widespread-microsoft365-credential-harvesting-campaign", + "https://twitter.com/MsftSecIntel/status/1712936244987019704?lang=en" + ] + }, + "uuid": "2485a9cb-b41c-43bd-8b1c-c64e919c0a4e", + "value": "Storm-1575" } ], "version": 298