diff --git a/clusters/rat.json b/clusters/rat.json index 588d917..fc2266b 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -2742,7 +2742,8 @@ "description": "According to trusted third-party reporting, HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace, telecommunications, and finance industries. The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies. FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors. HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware-as-a-service to establish persistence. Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL.", "meta": { "refs": [ - "https://www.us-cert.gov/ncas/alerts/TA17-318A" + "https://www.us-cert.gov/ncas/alerts/TA17-318A", + "https://securelist.com/operation-applejeus/87553/" ] }, "related": [ diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 44a0ad5..d38a829 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2582,7 +2582,8 @@ "https://www.us-cert.gov/ncas/alerts/TA17-318B", "https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/", "https://www.cfr.org/interactive/cyber-operations/lazarus-group", - "https://www.cfr.org/interactive/cyber-operations/operation-ghostsecret" + "https://www.cfr.org/interactive/cyber-operations/operation-ghostsecret", + "https://securelist.com/operation-applejeus/87553/" ], "synonyms": [ "Operation DarkSeoul",