From c52ac53765edf0840301d0e84dc77912f3fa9671 Mon Sep 17 00:00:00 2001
From: Mathieu Beligon <mathieu@feedly.com>
Date: Mon, 13 Feb 2023 11:54:47 -0800
Subject: [PATCH] [threat-actors] Add TA570

---
 clusters/threat-actor.json | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 7140f94..96e0f38 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -10034,6 +10034,33 @@
         }
       ],
       "value": "Moskalvzapoe"
+    },
+    {
+      "description": "One of the most active Qbot malware affiliates, Proofpoint has tracked the large cybercrime threat actor TA570 since 2018.",
+      "meta": {
+        "references": [
+          "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware",
+          "https://therecord.media/hackers-using-follina-windows-zero-day-to-spread-qbot-malware/",
+          "https://isc.sans.edu/diary/TA570+Qakbot+Qbot+tries+CVE202230190+Follina+exploit+msmsdt/28728"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549",
+          "tags": [
+            "estimative-language:likelihood-probability=\"very-likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "edc5e045-5401-42bb-ad92-52b5b2ee0de9",
+          "tags": [
+            "estimative-language:likelihood-probability=\"very-likely\""
+          ],
+          "type": "uses"
+        }
+      ],
+      "value": "TA570"
     }
   ],
   "version": 258