diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 392776f..60d9868 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16895,6 +16895,16 @@ }, "uuid": "f6a60403-4bcc-4fc6-ac07-abb913c1f080", "value": "Storm-0501" + }, + { + "description": "CosmicBeetle is a threat actor known for deploying the ScRansom ransomware, which has replaced its previous variant, Scarab. The actor utilizes a custom toolset called Spacecolon, consisting of ScHackTool, ScInstaller, and ScService, to gain initial access through RDP brute forcing and exploiting vulnerabilities like CVE-2020-1472 and FortiOS SSL-VPN. CosmicBeetle has been observed impersonating the LockBit ransomware gang to leverage its reputation and has shown a tendency to leave artifacts on compromised systems. The group primarily targets SMBs globally, employing techniques such as credential dumping and data destruction.", + "meta": { + "refs": [ + "https://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/" + ] + }, + "uuid": "9686ff2b-01e0-46eb-9169-9e8d115be345", + "value": "CosmicBeetle" } ], "version": 315