Merge pull request #901 from Mathieu4141/threat-actors/c88f2604-d67f-4674-b59f-7f2eb7364879

[threat actors] Add 7 actors

clusters/threat-actor.json

@@ -13513,6 +13513,95 @@
       },
       "uuid": "55bcc595-2442-4f98-9477-7fe9b507607c",
       "value": "SilverFish"
+    },
+    {
+      "description": "Blacktail is a cybercrime group that has gained attention for its ransomware campaigns, particularly the Buhti ransomware. They are known for using custom-built data exfiltration tools and have been observed exploiting vulnerabilities in both Windows and Linux systems.",
+      "meta": {
+        "refs": [
+          "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/buhti-ransomware",
+          "https://fortiguard.fortinet.com/threat-signal-report/5170",
+          "https://www.redpacketsecurity.com/new-buhti-ransomware-gang-uses-leaked-windows-linux-encryptors/",
+          "https://www.redpacketsecurity.com/buhti-ransomware-gang-switches-tactics-utilizes-leaked-lockbit-and-babuk-code/"
+        ]
+      },
+      "uuid": "e06e1bcd-7da2-4732-934a-9fa1efa427ad",
+      "value": "Blacktail"
+    },
+    {
+      "description": "MalKamak is an Iranian threat actor that has been operating since at least 2018. They have been involved in highly targeted cyber espionage campaigns against global aerospace and telecommunications companies. MalKamak utilizes a sophisticated remote access Trojan called ShellClient, which evades antivirus tools and uses cloud services like Dropbox for command and control.",
+      "meta": {
+        "country": "IR",
+        "refs": [
+          "https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms"
+        ]
+      },
+      "uuid": "4915bfa3-5f0a-48ec-8ed5-bcd878cba504",
+      "value": "MalKamak"
+    },
+    {
+      "description": "DragonForce is a hacktivist group based in Malaysia that has been involved in cyberattacks targeting government institutions and commercial organizations in India. They have also targeted websites affiliated with Israel and have shown support for pro-Palestinian causes. The group has been observed using defacement attacks, distributed denial-of-service attacks, and data leaks as part of their campaigns. DragonForce Malaysia has demonstrated an ability to adapt and evolve their tactics over time.",
+      "meta": {
+        "country": "MY",
+        "refs": [
+          "https://www.darkowl.com/blog-content/hacktivist-groups-use-defacements-in-the-israel-hamas-conflict/",
+          "https://blog.radware.com/security/2023/05/india-one-of-the-most-targeted-countries-for-hacktivist-groups/",
+          "https://securitybrief.asia/story/dragonforce-malaysia-attacks-israeli-institutions-radware",
+          "https://www.radware.com/security/threat-advisories-and-attack-reports/opisrael-a-decade-in-review/",
+          "https://blog.radware.com/security/ddos/2022/08/this-was-h1-2022-part-3-beyond-the-war/",
+          "https://www.fortinet.com/blog/threat-research/guidance-on-hacktivist-operation-opspatuk-by-dragonforce"
+        ]
+      },
+      "uuid": "40375ed2-04ec-433f-969d-b9a004c0272e",
+      "value": "DragonForce"
+    },
+    {
+      "description": "UNC1945 is an APT group that has been targeting telecommunications companies globally. They use Linux-based implants to maintain long-term access in compromised networks. UNC1945 has demonstrated advanced technical abilities, utilizing various tools and techniques to evade detection and move laterally through networks. They have also been observed targeting other industries, such as financial and professional consulting, and have been linked to other threat actors, including MustangPanada and RedDelta.",
+      "meta": {
+        "refs": [
+          "https://www.mandiant.com/resources/unc2891-overview",
+          "https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/",
+          "https://blog.talosintelligence.com/introducing-shrouded-snooper/"
+        ],
+        "synonyms": [
+          "UNC1945",
+          "CL-CRI-0025"
+        ]
+      },
+      "uuid": "a1955738-563c-413c-8602-ea5b8c89ce21",
+      "value": "LightBasin"
+    },
+    {
+      "description": "RED-LILI is an active threat actor that has been identified by Checkmarx SCS research team. They have been publishing malicious packages on NPM and PyPi platforms, and have recently automated the process of creating NPM users for package publication. The Checkmarx team has detected around 1500 malicious packages associated with RED-LILI and has continuously disclosed their findings to the respective security teams.",
+      "meta": {
+        "refs": [
+          "https://checkmarx.com/blog/a-beautiful-factory-for-malicious-packages/"
+        ]
+      },
+      "uuid": "99d188cf-31e5-440d-a114-297cb2242d73",
+      "value": "Red-Lili"
+    },
+    {
+      "description": "Wildcard is a threat actor that initially targeted Israel's educational sector with the SysJoker malware. They have since expanded their operations and developed additional malware variants, disguised as legitimate software, including one written in the Rust programming language called RustDown. Their precise identity remains unknown, but they have shown advanced capabilities and a focus on critical sectors within Israel.",
+      "meta": {
+        "refs": [
+          "https://intezer.com/blog/research/wildcard-evolution-of-sysjoker-cyber-threat/"
+        ]
+      },
+      "uuid": "dc8a7137-f56e-41db-a500-920e69fa29f5",
+      "value": "WildCard"
+    },
+    {
+      "description": "WildPressure is a threat actor that targets industrial-related entities in the Middle East. They use a variety of programming languages, including C++, VBScript, and Python, to develop their malware. They have been observed using virtual private servers and compromised servers, particularly WordPress websites, in their infrastructure. While there are some minor similarities with other threat actors in the region, there is not enough evidence to make any attribution.",
+      "meta": {
+        "refs": [
+          "https://www.redpacketsecurity.com/it-threat-evolution-q3-2021/",
+          "https://securelist.com/wildpressure-targets-macos/103072/",
+          "https://www.redpacketsecurity.com/wildpressure-targets-industrial-related-entities-in-the-middle-east/",
+          "https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/"
+        ]
+      },
+      "uuid": "89f5a5cb-514f-46db-8959-6bb9aa991e9f",
+      "value": "WildPressure"
     }
   ],
   "version": 295