From e6072c5823937cc47458cc7e8708d91cb9e1d538 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Wed, 2 Oct 2024 02:04:56 -0700
Subject: [PATCH] [threat-actors] Add CosmicBeetle

---
 clusters/threat-actor.json | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 392776f..60d9868 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16895,6 +16895,16 @@
       },
       "uuid": "f6a60403-4bcc-4fc6-ac07-abb913c1f080",
       "value": "Storm-0501"
+    },
+    {
+      "description": "CosmicBeetle is a threat actor known for deploying the ScRansom ransomware, which has replaced its previous variant, Scarab. The actor utilizes a custom toolset called Spacecolon, consisting of ScHackTool, ScInstaller, and ScService, to gain initial access through RDP brute forcing and exploiting vulnerabilities like CVE-2020-1472 and FortiOS SSL-VPN. CosmicBeetle has been observed impersonating the LockBit ransomware gang to leverage its reputation and has shown a tendency to leave artifacts on compromised systems. The group primarily targets SMBs globally, employing techniques such as credential dumping and data destruction.",
+      "meta": {
+        "refs": [
+          "https://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/"
+        ]
+      },
+      "uuid": "9686ff2b-01e0-46eb-9169-9e8d115be345",
+      "value": "CosmicBeetle"
     }
   ],
   "version": 315