From afaf3a3110b23808a25306380d5fadac257bcb83 Mon Sep 17 00:00:00 2001
From: Thomas Dupuy <thom4s.d@gmail.com>
Date: Wed, 12 Jan 2022 13:37:59 -0500
Subject: [PATCH 1/2] Add Motnug tool.

---
 clusters/tool.json | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index e46e166..0f49018 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -8450,7 +8450,18 @@
       },
       "uuid": "d5b31712-a5b4-4b1c-9a74-4340abc61210",
       "value": "ESPecter bootkit"
+    },
+    {
+      "description": "Motnug is a simple shellcode loader that is used to load and execute shellcode located either in its overlay or in a separate file stored on disk.",
+      "meta": {
+        "refs": [
+          "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/",
+          "https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/"
+        ]
+      },
+      "uuid": "f3bae23a-ec73-49cb-8149-f93578bb2bff",
+      "value": "Motnug"
     }
   ],
-  "version": 148
+  "version": 149
 }

From c792bdd1b7924f7a461ed0ab8c3742985d33b8f3 Mon Sep 17 00:00:00 2001
From: Thomas Dupuy <thom4s.d@gmail.com>
Date: Wed, 12 Jan 2022 13:51:11 -0500
Subject: [PATCH 2/2] Add AQUATIC PANDA threat actor.

---
 clusters/threat-actor.json | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 2deeb94..892a58e 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -8898,7 +8898,18 @@
       },
       "uuid": "f6d02ac3-3447-4892-b844-1ef31839e04f",
       "value": "SideCopy"
+    },
+    {
+      "description": "AQUATIC PANDA is a China-based targeted intrusion adversary with a dual mission of intelligence collection and industrial espionage. It has likely operated since at least May 2020. AQUATIC PANDA operations have primarily focused on entities in the telecommunications, technology and government sectors. AQUATIC PANDA relies heavily on Cobalt Strike, and its toolset includes the unique Cobalt Strike downloader tracked as FishMaster. AQUATIC PANDA has also been observed delivering njRAT payloads to targets.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/"
+        ]
+      },
+      "uuid": "676c1129-5664-4698-92ee-031f81baefce",
+      "value": "AQUATIC PANDA"
     }
   ],
-  "version": 209
+  "version": 210
 }