From c68dd137720c26f7fb4797b0948d9a4b141dd2f5 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Mon, 9 Sep 2024 08:18:23 -0700
Subject: [PATCH] [threat-actors] Add UAT-5394

---
 clusters/threat-actor.json | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 3065294..7308e94 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16630,6 +16630,17 @@
       },
       "uuid": "1e3efe43-9006-4ac8-b9ee-f1fbb9794cd9",
       "value": "RaHDit"
+    },
+    {
+      "description": "UAT-5394 is a state-sponsored North Korean threat actor known for developing the MoonPeak RAT, which is based on XenoRAT. They have transitioned from using QuasarRAT to MoonPeak and have established command and control infrastructure. UAT-5394 employs tactics such as using RDP for remote access and has implemented State Machines in their malware to complicate analysis. Their activity indicates a focus on rapidly evolving their malware and infrastructure to enhance operational capabilities.",
+      "meta": {
+        "country": "KP",
+        "refs": [
+          "https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/"
+        ]
+      },
+      "uuid": "6038ceaf-4c1b-470d-af36-c62948488786",
+      "value": "UAT-5394"
     }
   ],
   "version": 313