From 18811f8056c779fc153699fa1ddfaa2893ad33bb Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Mon, 6 Nov 2023 05:26:26 -0800
Subject: [PATCH] [threat-actors] Add REF5961

---
 clusters/threat-actor.json | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index e80a502..4ef2ac3 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -12452,6 +12452,17 @@
       },
       "uuid": "cdcfd3e1-4e42-4746-b1f1-66d5ce27b4da",
       "value": "HiddenArt"
+    },
+    {
+      "description": "Elastic's security team has published a report on REF5961, a cyber-espionage group they found on the network of a Foreign Affairs Ministry from a member of the Association of Southeast Asian Nations (ASEAN). Elastic says it found the group's tools next to the malware of another cyber-espionage group it tracks as REF2924. REF5961's arsenal includes malware such as EAGERBEE, RUDEBIRD, and DOWNTOWN.",
+      "meta": {
+        "refs": [
+          "https://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set",
+          "https://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor"
+        ]
+      },
+      "uuid": "64234b2e-0c78-466d-8253-0df339f99f5f",
+      "value": "REF5961"
     }
   ],
   "version": 289