diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 76446f79..3e289e9e 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -15874,6 +15874,39 @@
       ],
       "uuid": "97c6d972-a3af-4a21-94a2-0f5e09c7320e",
       "value": "UNC3236"
+    },
+    {
+      "description": "Ghostr is a financially motivated threat actor known for stealing a confidential database containing 5.3 million records from the World-Check and leaking about 186GB of data from a stock trading platform. They have been active on Breachforums.is, revealing massive data breaches involving comprehensive details of Thai users, including full names, phone numbers, email addresses, and ID card numbers.",
+      "meta": {
+        "refs": [
+          "https://securityaffairs.com/162136/cyber-crime/hackers-threaten-leak-world-check.html",
+          "https://www.resecurity.com/blog/article/cybercriminals-leaked-massive-volumes-of-stolen-pii-data-from-thailand-in-dark-web"
+        ]
+      },
+      "uuid": "0e4ed0ab-87e2-4588-8fc0-3d720e0efebd",
+      "value": "GhostR"
+    },
+    {
+      "description": "UTA0218 is a threat actor with advanced capabilities, targeting organizations to establish a reverse shell, acquire tools, and extract data. They exploit vulnerabilities in firewall devices to move laterally within victim networks, focusing on obtaining domain backup keys and active directory credentials. The actor deploys a custom Python backdoor named UPSTYLE to execute commands and download additional tools. UTA0218 is likely state-backed, utilizing a mix of infrastructure including VPNs and compromised routers to store malicious files.",
+      "meta": {
+        "refs": [
+          "https://www.enigmasoftware.com/cve20243400vulnerability-removal/",
+          "https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/"
+        ]
+      },
+      "uuid": "ee8b8fc4-59f4-4442-a4e6-3686d09c6509",
+      "value": "UTA0218"
+    },
+    {
+      "description": "UAC-0149 is a threat actor targeting the Armed Forces of Ukraine with COOKBOX malware. They use obfuscation techniques like character encoding and base64 encoding to evade detection. The group leverages dynamic DNS services and Cloudflare Workers for their C2 infrastructure.",
+      "meta": {
+        "refs": [
+          "https://socprime.com/blog/uac-0149-attack-detection-hackers-launch-a-targeted-attack-against-the-armed-forces-of-ukraine-as-cert-ua-reports/",
+          "https://cert.gov.ua/article/6277849"
+        ]
+      },
+      "uuid": "f5f6d4eb-1ec3-494e-807d-5b767122f9b2",
+      "value": "UAC-0149"
     }
   ],
   "version": 307