diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 499845a..59ecb2d 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -6794,7 +6794,8 @@
       "description": "Malware experts at CSE Cybsec uncovered a massive malvertising campaign dubbed EvilTraffic leveraging tens of thousands compromised websites. Crooks exploited some CMS vulnerabilities to upload and execute arbitrary PHP pages used to generate revenues via advertising.",
       "meta": {
         "refs": [
-          "http://securityaffairs.co/wordpress/68059/cyber-crime/eviltraffic-malvertising-campaign.html"
+          "http://securityaffairs.co/wordpress/68059/cyber-crime/eviltraffic-malvertising-campaign.html",
+          "https://cybaze.it/download/zlab/20180121_CSE_Massive_Malvertising_Report.pdf"
         ],
         "synonyms": [
           "Operation EvilTraffic"