diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index bb14d1b..49dcfab 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15269,6 +15269,61 @@ }, "uuid": "74268518-8dd9-4223-9f7f-54421463cdb3", "value": "GoldFactory" + }, + { + "description": "SPIKEDWINE is a threat actor targeting European officials with a new backdoor called WINELOADER. They use a bait PDF document posing as an invitation letter from the Ambassador of India to lure diplomats. The attack is characterized by advanced tactics, techniques, and procedures in the malware and command and control infrastructure. The motivation behind the attacks seems to be exploiting the geopolitical relations between India and European nations.", + "meta": { + "refs": [ + "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader" + ] + }, + "uuid": "d3cda6b1-a5da-4afc-bee4-80ea2cf05e5e", + "value": "SPIKEDWINE" + }, + { + "description": "UAC-0184 is a threat actor targeting Ukrainian organizations in Finland, using the Remcos Remote Access Trojan in their attacks. They have been observed utilizing steganographic image files and the IDAT Loader to deliver the malware. The group has targeted the Armed Forces of Ukraine and impersonated military recruitment processes to infect systems with the Remcos RAT.", + "meta": { + "refs": [ + "https://blog.morphisec.com/unveiling-uac-0184-the-remcos-rat-steganography-saga", + "https://cert.gov.ua/article/6276988" + ] + }, + "uuid": "0e3224a0-3544-47d7-b1ce-fb3eb21286ad", + "value": "UAC-0184" + }, + { + "description": "UNC1549 is an Iranian threat actor linked to Tortoiseshell and potentially the IRGC. They have been active since at least June 2022, targeting entities worldwide with a focus on the Middle East. UNC1549 uses spear-phishing and credential harvesting for initial access, deploying custom malware like MINIBIKE and MINIBUS backdoors. They have also been observed using evasion techniques and a tunneler named LIGHTRAIL in their operations.", + "meta": { + "country": "IR", + "refs": [ + "https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east" + ] + }, + "uuid": "a2a7d49f-f517-4eeb-9ec8-b9b74e3fe756", + "value": "UNC1549" + }, + { + "description": "Mogilevich is a ransomware group known for claiming to breach organizations like Epic Games and Ireland's Department of Foreign Affairs, offering stolen data for sale without providing proof of the attacks. They operate as an extortion group, targeting high-profile victims and demanding payment for the data they claim to have stolen. Despite their claims, security researchers have noted that Mogilevich's tactics and website design suggest they may not be a sophisticated threat actor.", + "meta": { + "refs": [ + "https://therecord.media/ireland-dfa-no-evidence-of-cybersecurity-breach", + "https://www.bleepingcomputer.com/news/security/epic-games-zero-evidence-we-were-hacked-by-mogilevich-gang/" + ] + }, + "uuid": "95634994-9604-4fe6-9462-f472c2d82271", + "value": "Mogilevich" + }, + { + "description": "R00TK1T is a hacking group known for sophisticated cyber attacks targeting governmental agencies in Malaysia, including data exfiltration from the National Population and Family Development Board. The group has publicized their successful attacks on social media, showcasing stolen data. R00TK1T has also targeted Malaysian telecom providers, defacing portals and potentially breaching user data. ", + "meta": { + "country": "IL", + "refs": [ + "https://logrhythm.com/blog/how-government-agencies-can-defend-against-exfiltration-tactics/", + "https://cyble.com/blog/cyble-chronicles-february-1-latest-findings-recommendations-for-the-cybersecurity-community/" + ] + }, + "uuid": "69a944ef-4962-432e-a1b9-575b646ee2ed", + "value": "R00tK1T" } ], "version": 302