From e1eec18aa3896743bc6cdf9ff6ab651bfd0101f5 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Tue, 7 Nov 2023 10:37:07 -0800
Subject: [PATCH] [threat-actors] Add UNC2565

---
 clusters/threat-actor.json | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 9f44df9..a9b4333 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -12700,6 +12700,21 @@
       },
       "uuid": "167bd5f9-fa61-4a4e-91bc-3ca0d17294b2",
       "value": "TheDarkOverlord"
+    },
+    {
+      "description": "UNC2565 is a threat group that has used the GOOTLOADER downloader to deliver Cobalt Strike BEACON. These intrusions have stemmed from victims accessing malicious websites that use SEO techniques to improve Google search rankings. After obtaining a foothold in the environment, UNC2565 has conducted reconnaissance and credential harvesting activity using common tools such as BLOODHOUND and KERBEROAST. UNC2565's motivations are currently unknown but overlaps with activity that has led to SODINOKIBI ransomware. This suggests that the threat group may be financially motivated.",
+      "meta": {
+        "refs": [
+          "https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations",
+          "https://socradar.io/new-gootloader-variant-gootbot-changes-the-game-in-malware-tactics/",
+          "https://securityintelligence.com/x-force/gootbot-gootloaders-new-approach-to-post-exploitation/"
+        ],
+        "synonyms": [
+          "Hive0127"
+        ]
+      },
+      "uuid": "d7d270d2-b91f-4978-a9e9-76fa7f0d8f06",
+      "value": "UNC2565"
     }
   ],
   "version": 293