diff --git a/clusters/android.json b/clusters/android.json
index 2a745da..4392f4b 100644
--- a/clusters/android.json
+++ b/clusters/android.json
@@ -3749,9 +3749,27 @@
           "SMSLocker"
         ]
       }
+    },
+    {
+      "value": "Loapi",
+      "description": "A malware strain known as Loapi will damage phones if users don't remove it from their devices. Left to its own means, this modular threat will download a Monero cryptocurrency miner that will overheat and overwork the phone's components, which will make the battery bulge, deform the phone's cover, or even worse. Discovered by Kaspersky Labs, researchers say Loapi appears to have evolved from Podec, a malware strain spotted in 2015.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/android-malware-will-destroy-your-phone-no-ifs-and-buts-about-it/"
+        ]
+      }
+    },
+    {
+      "value": "Podec",
+      "description": "Late last year, we encountered an SMS Trojan called Trojan-SMS.AndroidOS.Podec which used a very powerful legitimate system to protect itself against analysis and detection. After we removed the protection, we saw a small SMS Trojan with most of its malicious payload still in development. Before long, though, we intercepted a fully-fledged version of Trojan-SMS.AndroidOS.Podec in early 2015.\nThe updated version proved to be remarkable: it can send messages to premium-rate numbers employing tools that bypass the Advice of Charge system (which notifies users about the price of a service and requires authorization before making the payment). It can also subscribe users to premium-rate services while bypassing CAPTCHA. This is the first time Kaspersky Lab has encountered this kind of capability in any Android-Trojan.",
+      "meta": {
+        "refs": [
+          "https://securelist.com/sms-trojan-bypasses-captcha/69169//"
+        ]
+      }
     }
   ],
-  "version": 3,
+  "version": 4,
   "uuid": "84310ba3-fa6a-44aa-b378-b9e3271c58fa",
   "description": "Android malware galaxy based on multiple open sources.",
   "authors": [
diff --git a/clusters/banker.json b/clusters/banker.json
index 8caacc7..7a5810c 100644
--- a/clusters/banker.json
+++ b/clusters/banker.json
@@ -484,9 +484,18 @@
       },
       "description": "According to X-Force research, the new banking Trojan emerged in the wild in September 2017, when its first test campaigns were launched. Our researchers noted that IcedID has a modular malicious code with modern banking Trojan capabilities comparable to malware such as the Zeus Trojan. At this time, the malware targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the U.S. Two major banks in the U.K. are also on the target list the malware fetches.",
       "value": "IcedID"
+    },
+    {
+      "value": "GratefulPOS",
+      "description": "GratefulPOS has the following functions\n1. Access arbitrary processes on the target POS system\n2. Scrape track 1 and 2 payment card data from the process(es)\n3. Exfiltrate the payment card data via lengthy encoded and obfuscated DNS queries to a hardcoded domain registered and controlled by the perpetrators, similar to that described by Paul Rascagneres in his analysis of FrameworkPOS in 2014[iii], and more recently by Luis Mendieta of Anomoli in analysis of a precursor to this sample.",
+      "meta": {
+        "refs": [
+          "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season"
+        ]
+      }
     }
   ],
-  "version": 4,
+  "version": 5,
   "uuid": "59f20cce-5420-4084-afd5-0884c0a83832",
   "description": "A list of banker malware.",
   "authors": [
diff --git a/clusters/tool.json b/clusters/tool.json
index 6196580..5424d6a 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -10,7 +10,7 @@
   ],
   "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
   "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
-  "version": 43,
+  "version": 44,
   "values": [
     {
       "meta": {
@@ -3160,6 +3160,33 @@
           "OSX/Pirrit"
         ]
       }
+    },
+    {
+      "value": "GratefulPOS",
+      "description": "GratefulPOS has the following functions\n1. Access arbitrary processes on the target POS system\n2. Scrape track 1 and 2 payment card data from the process(es)\n3. Exfiltrate the payment card data via lengthy encoded and obfuscated DNS queries to a hardcoded domain registered and controlled by the perpetrators, similar to that described by Paul Rascagneres in his analysis of FrameworkPOS in 2014[iii], and more recently by Luis Mendieta of Anomoli in analysis of a precursor to this sample.",
+      "meta": {
+        "refs": [
+          "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season"
+        ]
+      }
+    },
+    {
+      "value": "PRILEX",
+      "description": "Prilex malware steals the information of the infected ATM’s users. In this case, it was a Brazilian bank, but consider the implications of such an attack in your region, whether you’re a customer or the bank.",
+      "meta": {
+        "refs": [
+          "http://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-prilex-cutlet-maker-atm-malware-families/"
+        ]
+      }
+    },
+    {
+      "value": "CUTLET MAKER",
+      "description": "Cutlet Maker is an ATM malware designed to empty the machine of all its banknotes. Interestingly, while its authors have been advertising its sale, their competitors have already cracked the program, allowing anybody to use it for free.",
+      "meta": {
+        "refs": [
+          "http://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-prilex-cutlet-maker-atm-malware-families/"
+        ]
+      }
     }
   ]
 }