diff --git a/clusters/banker.json b/clusters/banker.json
index 9d349f1..013da82 100644
--- a/clusters/banker.json
+++ b/clusters/banker.json
@@ -379,7 +379,8 @@
           "https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/",
           "https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/",
           "http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html",
-          "https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/"
+          "https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/",
+          "https://www.bleepingcomputer.com/news/security/trickbot-banking-trojan-starts-stealing-windows-problem-history/"
         ],
         "synonyms": [
           "Trickster",
@@ -477,7 +478,11 @@
         "date": "Discovered ~Summer 2014",
         "refs": [
           "https://feodotracker.abuse.ch/",
-          "http://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/"
+          "http://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/",
+          "https://www.bleepingcomputer.com/news/security/emotet-banking-trojan-loves-usa-internet-providers/",
+          "https://www.bleepingcomputer.com/news/security/emotet-returns-with-thanksgiving-theme-and-better-phishing-tricks/",
+          "https://www.forcepoint.com/blog/security-labs/thanks-giving-emotet",
+          "https://cofense.com/major-us-financial-institutions-imitated-advanced-geodo-emotet-phishing-lures-appear-authentic-containing-proofpoint-url-wrapped-links/"
         ],
         "synonyms": [
           "Feodo Version C",
@@ -1176,5 +1181,5 @@
       "value": "CamuBot"
     }
   ],
-  "version": 15
+  "version": 16
 }
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index c7a1f21..ca89856 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -5921,7 +5921,9 @@
         "refs": [
           "https://www.bleepingcomputer.com/news/security/british-airways-fell-victim-to-card-scraping-attack/",
           "https://www.bleepingcomputer.com/news/security/feedify-hacked-with-magecart-information-stealing-script/",
-          "https://www.bleepingcomputer.com/news/security/magecart-group-compromises-plugin-used-in-thousands-of-stores-makes-rookie-mistake/"
+          "https://www.bleepingcomputer.com/news/security/magecart-group-compromises-plugin-used-in-thousands-of-stores-makes-rookie-mistake/",
+          "https://www.bleepingcomputer.com/news/security/visiondirect-data-breach-caused-by-magecart-attack/",
+          "https://www.bleepingcomputer.com/news/security/magecart-group-sabotages-rival-to-ruin-data-and-reputation/"
         ]
       },
       "uuid": "0768fd50-c547-11e8-9aa5-776183769eab",
@@ -6027,5 +6029,5 @@
       "value": "INDRIK SPIDER"
     }
   ],
-  "version": 79
+  "version": 80
 }
diff --git a/clusters/tool.json b/clusters/tool.json
index 4530ea5..d6e310b 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -1994,7 +1994,10 @@
     {
       "meta": {
         "refs": [
-          "https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/"
+          "https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/",
+          "https://www.forcepoint.com/blog/security-labs/thanks-giving-emotet",
+          "https://www.bleepingcomputer.com/news/security/emotet-returns-with-thanksgiving-theme-and-better-phishing-tricks/",
+          "https://cofense.com/major-us-financial-institutions-imitated-advanced-geodo-emotet-phishing-lures-appear-authentic-containing-proofpoint-url-wrapped-links/"
         ],
         "synonyms": [
           "Geodo"
@@ -7404,5 +7407,5 @@
       "value": "China Chopper"
     }
   ],
-  "version": 100
+  "version": 101
 }