diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index bd4f5fe..f57358b 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -671,8 +671,12 @@
           "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/"
         ],
         "synonyms": [
+          "Winnti Umbrella"
           "Winnti Group",
           "Tailgater Team",
+          "Suckfly"
+          "APT41",
+          "APT 41"
           "Group 72",
           "Group72",
           "Tailgater",
@@ -7756,5 +7760,5 @@
       "value": "Operation Soft Cell"
     }
   ],
-  "version": 136
+  "version": 137
 }
diff --git a/clusters/tool.json b/clusters/tool.json
index 577e752..b6a9bb7 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -663,7 +663,9 @@
         "synonyms": [
           "Etso",
           "SUQ",
-          "Agent.ALQHI"
+          "Agent.ALQHI",
+          "RbDoor",
+          "RibDoor","HIGHNOON"
         ],
         "type": [
           "Backdoor"
@@ -5352,7 +5354,8 @@
       "meta": {
         "refs": [
           "https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf"
-        ]
+        ],
+        "synonyms":[ "POISONPLUG", "Barlaiy"]
       },
       "related": [
         {
@@ -7859,7 +7862,14 @@
       "description": "Legitimate tool - tool used to scan IPv4/IPv6 networks and remotely execute PowerShell commands.",
       "uuid": "bbba3a35-5064-4e60-ad4b-0ba16cc81a23",
       "value": "Netscan"
+    },
+    {
+      "value":"ShadowHammer",
+      "description": "Malware embedded in Asus Live Update in 2018. ShadowHammer triggers its malicious behavior only if the computer it is running on has a network adapter with the MAC address whitelisted by the attacker.",
+      "meta": {
+        "refs": ["https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf"]
+      }
     }
   ],
-  "version": 126
+  "version": 127
 }