diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 05709293..92a2c4bd 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -9758,6 +9758,51 @@
       },
       "uuid": "c96e1329-cf7e-44ac-a3db-9e251dc98ec5",
       "value": "Earth Wendigo"
+    },
+    {
+      "description": "In early 2021 CTU researchers observed BRONZE EDGEWOOD exploiting the Microsoft Exchange Server of an organization in Southeast Asia. The threat group deployed a China Chopper webshell and ran the Nishang Invoke-PowerShellTcp.ps1 script to connect back to C2 infrastructure. The threat group is publicly linked to malware families Chinoxy, PCShare and FunnyDream. CTU researchers have discovered that BRONZE EDGEWOOD also leverages Cobalt Strike in its intrusion activity. BRONZE EDGEWOOD has been active since at least 2018 and targets government and private enterprises across Southeast Asia. CTU researchers assess with moderate confidence that BRONZE EDGEWOOD operates on behalf the Chinese government and has a remit that covers political espionage.",
+      "meta": {
+        "cfr-suspected-victims": [
+          "Kyrgyzstan",
+          "Malaysia",
+          "Vietnam"
+        ],
+        "country": "CN",
+        "refs": [
+          "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+          "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf"
+        ],
+        "synonyms": [
+          "Red Hariasa"
+        ]
+      },
+      "uuid": "b4ce9385-eedf-4a71-803c-6d53a250d10b",
+      "value": "BRONZE EDGEWOOD"
+    },
+    {
+      "description": "APT9 engages in cyber operations where the goal is data theft, usually focusing on the data and projects that make a particular organization competitive within its field. APT9 was historically very active in the pharmaceuticals and biotechnology industry. We have observed this actor use spearphishing, valid accounts, as well as remote services for Initial Access. On at least one occasion, Mandiant observed APT9 at two companies in the biotechnology industry and suspect that APT9 actors may have gained initial access to one of the companies by using a trusted relationship between the two companies. APT9 use a wide range of backdoors, including publicly available backdoors, as well as backdoors that are believed to be custom, but are used by multiple APT groups.",
+      "meta": {
+        "cfr-suspected-victims": [
+          "United States"
+        ],
+        "cfr-target-category": [
+          "Pharmaceuticals",
+          "Healthcare",
+          "Construction",
+          "Aerospace",
+          "Defense industrial base"
+        ],
+        "country": "CN",
+        "refs": [
+          "https://www.mandiant.com/resources/apt-groups#apt19",
+          "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf"
+        ],
+        "synonyms": [
+          "Red Pegasus"
+        ]
+      },
+      "uuid": "7e6d82a4-3b7d-4c24-a2c5-e211ce6eafc5",
+      "value": "APT9"
     }
   ],
   "version": 233