From d34e894d2dced355f8259ac9593776b6e048debc Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Mon, 13 Feb 2023 13:45:37 -0800 Subject: [PATCH] [threat-actors] Add TA2536 --- clusters/threat-actor.json | 54 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 347d6cd..5a63d63 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10189,6 +10189,60 @@ } ], "value": "TA577" + }, + { + "country": "NG", + "description": "TA2536, which has been active since at least 2015, is likely Nigerian based on its unique linguistic style, tactics and tools. It uses keyloggers such as HawkEye and distinctive stylometric features in typo-squatted domains that resemble legitimate names and the use of recurring names and substrings in email addresses.", + "meta": { + "references": [ + "https://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1" + ], + }, + "related": [ + { + "dest-uuid": "f9aa9004-8811-4091-a471-38f81dbcadc4", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b88e29cf-79d9-42bc-b369-0383b5e04380", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2894aee2-e0ec-417a-811e-74a68ab967b2", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4793a29b-1191-4750-810e-9301a6576fc4", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8378b417-605e-4196-b31f-a0c96d75aa50", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "31615066-dbff-4134-b467-d97a337b408b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + } + ], + "value": "TA2536" } ], "version": 258