diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index fe5bb1a..fca33c9 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12109,15 +12109,15 @@ { "description": "Xiaoqiying is a primarily Chinese-speaking threat group that is most well known for conducting website defacement and data exfiltration attacks on more than a dozen South Korean research and academic institutions in late-January 2023. Research from Recorded Futures Insikt Group has found that the groups affiliated threat actors have signaled a new round of cyberattacks against organizations in Japan and Taiwan. Although it shows no clear ties to the Chinese government, Xiaoqiying is staunchly pro-China and vows to target NATO countries as well as any country or region that is deemed hostile to China.", "meta": { - "aliases": [ - "Genesis Day", - "Teng Snake" - ], "country": "CN", "refs": [ "https://www.recordedfuture.com/xiaoqiying-genesis-day-threat-actor-group-targets-south-korea-taiwan", "https://medium.com/s2wblog/%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a", "https://therecord.media/samsung-investigating-claims-of-hack-on-south-korea-systems-internal-employee-platform/" + ], + "synonyms": [ + "Genesis Day", + "Teng Snake" ] }, "uuid": "0ee7be4f-389f-4083-a1e4-4c39dc1ae105", @@ -12126,16 +12126,16 @@ { "description": "Winter Vivern is a cyberespionage group first revealed by DomainTools in 2021. It is thought to have been active since at least 2020 and it targets governments in Europe and Central Asia. To compromise its targets, the group uses malicious documents, phishing websites, and a custom PowerShell backdoor.", "meta": { - "aliases": [ - "UAC-0114", - "TA473" - ], "refs": [ "https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/", "https://www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs", "https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/", "https://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability", "https://socprime.com/blog/uac-0114-group-aka-winter-vivern-attack-detection-hackers-launch-malicious-phishing-campaigns-targeting-government-entities-of-ukraine-and-poland/" + ], + "synonyms": [ + "UAC-0114", + "TA473" ] }, "uuid": "b7497d28-02de-4722-8b97-1fc53e1d1b68", @@ -12158,14 +12158,14 @@ { "description": "Earth Longzhi is a subgroup of APT41 targeting organizations based in Taiwan, Thailand, the Philippines, and Fiji, and using “stack rumbling” via Image File Execution Options (IFEO), a new denial-of-service (DoS) technique to disable security software.", "meta": { - "aliases": [ - "SnakeCharmer" - ], "refs": [ "https://www.picussecurity.com/resource/blog/cyber-threat-intelligence-report-may-2023", "https://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html", "https://ics-cert.kaspersky.com/publications/reports/2023/03/24/apt-attacks-on-industrial-organizations-in-h2-2022/", "https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html" + ], + "synonyms": [ + "SnakeCharmer" ] }, "uuid": "b21dbf83-3459-44f4-b91b-6157379e430a", @@ -12238,15 +12238,15 @@ { "description": "The cyberattack campaign that Microsoft uncovered was launched by a China-linked hacking group called Storm-0062. According to the company, the group is launching cyberattacks by exploiting a vulnerability in the Data Center and Server editions of Confluence. Those are versions of the application that companies run on-premises.", "meta": { - "aliases": [ - "Oro0lxy", - "DarkShadow" - ], "country": "CN", "refs": [ "https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/monthly-news-november-2023/ba-p/3970796", "https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-41-5/", "https://twitter.com/MsftSecIntel/status/1711871732644970856" + ], + "synonyms": [ + "Oro0lxy", + "DarkShadow" ] }, "uuid": "d1fe4546-616a-409c-8d2c-f7a7e0a183f8", @@ -12316,9 +12316,6 @@ { "description": "Ransomed.VC burst onto the scene with a well-orchestrated PR campaign, encompassing a clearnet site and multiple communication channels including Telegram and Twitter/X profiles. Their operations are heavily inclined towards exploiting GDPR penalties as a method of extortion, threatening victims with potential legal repercussions in case of data leaks.", "meta": { - "aliases": [ - "Ransomed.vc" - ], "refs": [ "https://therecord.media/colonial-pipeline-attributes-ransomware-claims-to-unrelated-third-party-breach", "https://socradar.io/on-the-horizon-ransomed-vc-ransomware-group-spotted-in-the-wild/", @@ -12328,6 +12325,9 @@ "https://securityaffairs.com/151550/data-breach/ransomed-vc-sony-ntt-alleged-attacks.html", "https://blog.talosintelligence.com/threat-source-newsletter-sept-28-2023/", "https://www.resecurity.com/blog/article/ransomedvc-in-the-spotlight-what-we-know-about-the-ransomware-group-targeting-major-japanese-businesses" + ], + "synonyms": [ + "Ransomed.vc" ] }, "uuid": "f939b51d-32f9-41d9-8549-f00b2db104c7", @@ -12360,12 +12360,12 @@ { "description": "In October 2022, Kaspersky identified an active infection of government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions. Although the initial vector of compromise is unclear, the details of the next stage imply the use of spear phishing or similar methods. The victims navigated to a URL pointing to a ZIP archive hosted on a malicious web server.", "meta": { - "aliases": [ - "Bad Magic" - ], "refs": [ "https://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger", "https://securelist.com/bad-magic-apt/109087/" + ], + "synonyms": [ + "Bad Magic" ] }, "uuid": "b813c6a2-f8c7-4071-83bd-24c181ff2bd4", @@ -12374,14 +12374,14 @@ { "description": "Witchetty was first documented by ESET in April 2022, who concluded that it was one of three sub-groups of TA410, a broad cyber-espionage operation with some links to the Cicada group (aka APT10). Witchetty’s activity was characterized by the use of two pieces of malware, a first-stage backdoor known as X4 and a second-stage payload known as LookBack. ESET reported that the group had targeted governments, diplomatic missions, charities, and industrial/manufacturing organizations.", "meta": { - "aliases": [ - "LookingFrog" - ], "country": "CN", "refs": [ "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-witchetty-apt-group-active-iocs", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage", "https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/" + ], + "synonyms": [ + "LookingFrog" ] }, "uuid": "202f5481-7bae-4a0b-b117-0642ea1dbe65", @@ -12390,15 +12390,15 @@ { "description": "Network Battalion 65 is an hactivist group with ties to Anonymous, known for attacking Russian companies and performing hack-and-leak operations.", "meta": { - "aliases": [ - "Network Battalion 65" - ], "refs": [ "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-leaked-conti-ransomware-used-to-target-russia-active-iocs", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html", "https://securelist.com/reassessing-cyberwarfare-lessons-learned-in-2022/108328/", "https://www.rewterz.com/articles/russian-ukrainian-cyber-warfare-rewterz-threat-intelligence-rollup", "https://www.hackread.com/anonymous-affiliate-nb65-russia-broadcaster-data-breach/" + ], + "synonyms": [ + "Network Battalion 65" ] }, "uuid": "e1941666-dcde-4f31-8a56-8041ac82bb99", @@ -12420,12 +12420,12 @@ { "description": "GhostSec is a hacktivist group that emerged as an offshoot of Anonymous. They primarily focused on counterterrorism efforts and monitoring online activities associated with terrorism. They gained prominence following the 2015 Charlie Hebdo shooting in Paris and the rise of ISIS.", "meta": { - "aliases": [ - "Ghost Security" - ], "refs": [ "https://www.uptycs.com/blog/ghostlocker-ransomware-ghostsec", "https://forescoutstage.wpengine.com/blog/the-increasing-threat-posed-by-hacktivist-attacks-an-analysis-of-targeted-organizations-devices-and-ttps/" + ], + "synonyms": [ + "Ghost Security" ] }, "uuid": "a1315451-326f-4185-8d71-80f9243f395f", @@ -12503,5 +12503,5 @@ "value": "TA499" } ], - "version": 291 + "version": 292 }