diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index c8117b7..b72f522 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -8098,6 +8098,22 @@
       },
       "uuid": "86b4e2f3-8bbf-48fd-9d27-034d3ac3b187",
       "value": "VENOM SPIDER"
+    },
+    {
+      "description": "ItaDuke is an actor known since 2013. It used PDF exploits for dropping malware and Twitter accounts to store C2 server urls. On 2018, an actor named DarkUniverse, which was active between 2009 to 2017, was attributed to this ItaDuke by Kaspersky.",
+      "meta": {
+        "refs": [
+          "https://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/",
+          "https://www.fireeye.com/blog/threat-research/2013/02/the-number-of-the-beast.html",
+          "https://securelist.com/new-uyghur-and-tibetan-themed-attacks-using-pdf-exploits/35465"
+        ],
+        "synonyms": [
+          "DarkUniverse",
+          "SIG27"
+        ]
+      },
+      "uuid": "d0b900fa-84b4-11ea-bc55-0242ac130003",
+      "value": "ItaDuke"
     }
   ],
   "version": 157