diff --git a/clusters/botnet.json b/clusters/botnet.json
index df6dea5..d7ad655 100644
--- a/clusters/botnet.json
+++ b/clusters/botnet.json
@@ -1346,7 +1346,8 @@
       "description": "Discovered in 2008 and under constant development, with gaps in operational use in the wild; operators are occasionally known as GOLD LAGOON. Banking Trojan, steals financial data, browser information/hooks, keystrokes, credentials; described by CheckPoint as a “Swiss Army knife”. Known to leverage many other tools; for example, PowerShell and Mimikatz are used for self-propagation. Attempts obfuscation via legitimate process injection. Known to serve as a dropper for ProLock ransomware. Infection vectors are common, with malspam as the most frequent. Active in 2020 – two big campaigns, one from March to June, second Starting in July and ongoing, as part of latest Emotet campaign. Newer version appeared in August.",
       "meta": {
         "refs": [
-          "https://www.cisa.gov/sites/default/files/publications/202010221030_QakBot%20TLPWHITE.pdf"
+          "https://www.cisa.gov/sites/default/files/publications/202010221030_QakBot%20TLPWHITE.pdf",
+          "https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html"
         ],
         "synonyms": [
           "QakBot",
@@ -1385,5 +1386,5 @@
       "value": "Dark.IoT"
     }
   ],
-  "version": 28
+  "version": 29
 }