From cd621af35c3da510c8458495fb5c7bb9e4f13196 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Wed, 31 Jul 2024 02:14:11 -0700
Subject: [PATCH] [threat-actors] Add Storm-0506

---
 clusters/threat-actor.json | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 0602533..dc9b91e 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16465,6 +16465,17 @@
       },
       "uuid": "1725e1c3-9870-4f66-8962-753c4ed3e086",
       "value": "TA4903"
+    },
+    {
+      "description": "Storm-0569 is an initial access broker that distributes BATLOADER using search engine optimization (SEO) poisoning with websites that spoof Zoom, TeamViewer, Tableau, and AnyDesk. It uses the loader malware to inject the Cobalt Strike payload and transfers access to Storm-0506 for the deployment of the Black Basta ransomware.",
+      "meta": {
+        "refs": [
+          "https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/",
+          "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-widely-abused-msix-app-installer-disabled-by-microsoft-active-iocs"
+        ]
+      },
+      "uuid": "d1ad4392-c85a-4f07-9818-a86f805a49f6",
+      "value": "Storm-0506"
     }
   ],
   "version": 312