From e393780af898cbfe02804ee92df29295106311b0 Mon Sep 17 00:00:00 2001
From: Mathieu Beligon <mathieu@feedly.com>
Date: Mon, 2 Oct 2023 15:11:10 +0200
Subject: [PATCH 1/6] [threa-actors] Add Scattered Canary

---
 clusters/threat-actor.json | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 60e1cae..ff32c7b 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -11766,6 +11766,19 @@
       ],
       "uuid": "8cb6f57b-9ebb-45a6-a89f-9efdb8065d70",
       "value": "Storm-0324"
+    },
+    {
+      "description": "When the first member of Scattered Canary, who, for the purposes of this report, we call\nAlpha, began his operations, he was a lone wolf—working mostly Craigslist scams as he learned\nthe tricks of the trade from a mentor. However, within a few years, he had honed his craft\nenough to expand into romance scams, where he met his first “employee,” Beta. Once they\nhad secured enough mules via their romance scams to launder their stolen money, they shifted\nfrom targeting individuals to targeting enterprises, and the group’s BEC operation was born.",
+      "meta": {
+        "country": "Nigeria",
+        "motive": "Cybercrime",
+        "references": [
+          "https://cofense.com/blog/gift-card-fraud-ecosystem-shifts-what-paxfuls-closing-means-for-business-email-compromise/",
+          "https://static.fortra.com/agari/pdfs/guide/ag-scattered-canary-gd.pdf",
+          "https://www.agari.com/blog/covid-19-unemployment-fraud-cares-act?_gl=1%2Ayzg6ns%2A_ga%2AMTkyMzIyOTI4MC4xNjk2MjUyMDA2%2A_ga_NHMHGJWX49%2AMTY5NjI1MjAwNS4xLjAuMTY5NjI1MjAwNS42MC4wLjA.&utm_source=press-release&utm_medium=prnewswire&utm_campaign=scattered20"
+        ]
+      },
+      "value": "Scattered Canary"
     }
   ],
   "version": 282

From b8f8fce4b61a88b4a8444814dee382c5d31a7073 Mon Sep 17 00:00:00 2001
From: Mathieu Beligon <mathieu@feedly.com>
Date: Mon, 2 Oct 2023 15:17:40 +0200
Subject: [PATCH 2/6] [threa-actors] Add Scattered Spider

---
 clusters/threat-actor.json | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index ff32c7b..5e50119 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -11779,6 +11779,40 @@
         ]
       },
       "value": "Scattered Canary"
+    },
+
+    {
+      "description": "Scattered Spider, a highly active hacking group, has made headlines by targeting more than 130 organizations, with the number of victims steadily increasing.",
+      "meta": {
+        "country": "",
+        "references": [
+          "https://www.cybersecurity-insiders.com/scattered-spider-managed-mgm-resort-network-outage-brings-8m-loss-daily/",
+          "https://www.loginradius.com/blog/identity/oktapus-phishing-targets-okta-identity-credentials/"
+        ],
+        "synonyms": [
+          "UNC3944",
+          "Muddled Libra",
+          "Oktapus",
+          "Scattered Swine"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "uses"
+        }
+      ],
+      "value": "Scattered Spider"
     }
   ],
   "version": 282

From 0fba8d3f277780d072bea318ffc0eb086d2fc2fb Mon Sep 17 00:00:00 2001
From: Mathieu Beligon <mathieu@feedly.com>
Date: Mon, 2 Oct 2023 15:19:20 +0200
Subject: [PATCH 3/6] [threat-actors] bump version

---
 clusters/threat-actor.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 5e50119..eebb0ba 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -11815,5 +11815,5 @@
       "value": "Scattered Spider"
     }
   ],
-  "version": 282
+  "version": 283
 }

From b2599deaae43b72873eae8c3602d925a303245c3 Mon Sep 17 00:00:00 2001
From: Mathieu Beligon <mathieu@feedly.com>
Date: Mon, 2 Oct 2023 19:17:47 +0200
Subject: [PATCH 4/6] fixes

---
 clusters/threat-actor.json | 17 -----------------
 1 file changed, 17 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index eebb0ba..879332d 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -11784,7 +11784,6 @@
     {
       "description": "Scattered Spider, a highly active hacking group, has made headlines by targeting more than 130 organizations, with the number of victims steadily increasing.",
       "meta": {
-        "country": "",
         "references": [
           "https://www.cybersecurity-insiders.com/scattered-spider-managed-mgm-resort-network-outage-brings-8m-loss-daily/",
           "https://www.loginradius.com/blog/identity/oktapus-phishing-targets-okta-identity-credentials/"
@@ -11796,22 +11795,6 @@
           "Scattered Swine"
         ]
       },
-      "related": [
-        {
-          "dest-uuid": "",
-          "tags": [
-            "estimative-language:likelihood-probability=\"likely\""
-          ],
-          "type": "uses"
-        },
-        {
-          "dest-uuid": "",
-          "tags": [
-            "estimative-language:likelihood-probability=\"likely\""
-          ],
-          "type": "uses"
-        }
-      ],
       "value": "Scattered Spider"
     }
   ],

From 081b2e619b4a8ee0a7f0c9a3557ede56c9a7e066 Mon Sep 17 00:00:00 2001
From: Mathieu Beligon <mathieu@feedly.com>
Date: Mon, 2 Oct 2023 19:18:00 +0200
Subject: [PATCH 5/6] fixes

---
 clusters/threat-actor.json | 1 -
 1 file changed, 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 879332d..0065292 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -11780,7 +11780,6 @@
       },
       "value": "Scattered Canary"
     },
-
     {
       "description": "Scattered Spider, a highly active hacking group, has made headlines by targeting more than 130 organizations, with the number of victims steadily increasing.",
       "meta": {

From e6266e8e59fbb3a18c09880d2e7dc213fb06627e Mon Sep 17 00:00:00 2001
From: Mathieu Beligon <mathieu@feedly.com>
Date: Mon, 2 Oct 2023 19:25:10 +0200
Subject: [PATCH 6/6] fixes

---
 clusters/threat-actor.json | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 0065292..5d1f1c7 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -11778,6 +11778,7 @@
           "https://www.agari.com/blog/covid-19-unemployment-fraud-cares-act?_gl=1%2Ayzg6ns%2A_ga%2AMTkyMzIyOTI4MC4xNjk2MjUyMDA2%2A_ga_NHMHGJWX49%2AMTY5NjI1MjAwNS4xLjAuMTY5NjI1MjAwNS42MC4wLjA.&utm_source=press-release&utm_medium=prnewswire&utm_campaign=scattered20"
         ]
       },
+      "uuid": "fde2d0f9-ed23-4cdc-96d3-f0a01f804707",
       "value": "Scattered Canary"
     },
     {
@@ -11794,6 +11795,7 @@
           "Scattered Swine"
         ]
       },
+      "uuid": "3b238f3a-c67a-4a9e-b474-dc3897e00129",
       "value": "Scattered Spider"
     }
   ],