From d79c5bd1ab40b0f1881a2ddc6d5a6f35351eb1a4 Mon Sep 17 00:00:00 2001
From: Mathieu Beligon <mathieu@feedly.com>
Date: Tue, 21 Jun 2022 15:09:23 +0200
Subject: [PATCH] Add ToddyCat Threat actor

---
 clusters/threat-actor.json | 37 ++++++++++++++++++++++++++++++++++++-
 1 file changed, 36 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index df8aecb..a59224d 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -9504,7 +9504,42 @@
       },
       "uuid": "4d522fad-452c-46be-94ea-5803aec9b709",
       "value": "RansomHouse"
+    },
+    {
+      "description": "ToddyCat is responsible for multiple sets of attacks detected since December 2020 against high-profile entities in Europe and Asia. There is still little information about this actor, but its main distinctive signs are two formerly unknown tools that Kaspersky call ‘Samurai backdoor’ and ‘Ninja Trojan’.",
+      "meta": {
+        "cfr-suspected-victims": [
+          "Afghanistan",
+          "India",
+          "Indonesia",
+          "Iran",
+          "Kyrgyzstan",
+          "Malaysia",
+          "Pakistan",
+          "Russia",
+          "Slovakia",
+          "Taiwan",
+          "Thailand",
+          "United Kingdom",
+          "Uzbekistan",
+          "Vietnam"
+        ],
+        "cfr-target-category": [
+          "Military",
+          "Government"
+        ],
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/new-toddycat-apt-group-targets-exchange-servers-in-asia-europe/",
+          "https://securelist.com/toddycat/106799/",
+          "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/"
+        ],
+        "synonyms": [
+          "Websiic"
+        ]
+      },
+      "uuid": "091a0b69-74de-44b6-bb12-16b7a8fd078b",
+      "value": "ToddyCat"
     }
   ],
-  "version": 228
+  "version": 229
 }