From 1589a943a9e596bb2e466d3c89d7e843b1ac7b2b Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Thu, 1 Feb 2024 11:02:05 -0800
Subject: [PATCH] [threat-actors] Add Storm-1674

---
 clusters/threat-actor.json | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 95b69bf..b8eae0d 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -14696,6 +14696,17 @@
       },
       "uuid": "3e595289-05b8-43fc-bd88-f8650436447f",
       "value": "Storm-0829"
+    },
+    {
+      "description": "Storm-1674 is an access broker known for using tools based on the publicly available TeamsPhisher tool to distribute DarkGate malware. Storm-1674 campaigns have typically relied on phishing lures sent over Teams with malicious attachments, such as ZIP files containing a LNK file that ultimately drops DarkGate and Pikabot. In September 2023, Microsoft observed handoffs from Storm-1674 to ransomware operators that have led to Black Basta ransomware deployment.",
+      "meta": {
+        "refs": [
+          "https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/",
+          "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-widely-abused-msix-app-installer-disabled-by-microsoft-active-iocs/"
+        ]
+      },
+      "uuid": "eb7b5ed7-cf9d-4c72-8f89-a2ee070b89b6",
+      "value": "Storm-1674"
     }
   ],
   "version": 298