From 2d30785af5eac225d93551ab3a941819ea61a517 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=BCrgen=20L=C3=B6hel?= <juergen.loehel@inlyse.com>
Date: Wed, 8 Mar 2023 21:44:16 -0600
Subject: [PATCH] chg [threat-actors] Add TA866
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jürgen Löhel <juergen.loehel@inlyse.com>
---
 clusters/threat-actor.json | 50 +++++++++++++++++++++++++++++++++++++-
 1 file changed, 49 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 0da6af5..d9d8c96 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -10564,7 +10564,55 @@
       ],
       "uuid": "eb0b100c-8a4e-4859-b6f8-eebd66c3d20c",
       "value": "Prophet Spider"
+    },
+    {
+      "description": "According to Proofpoint, TA866 is a newly identified threat actor that distributes malware via email utilizing both commodity and custom tools. While most of the activity observed occurred since October 2022, Proofpoint researchers identified multiple activity clusters since 2019 that overlap with TA866 activity. Most of the activity recently observed by Proofpoint suggests recent campaigns are financially motivated, however assessment of historic related activities suggests a possible, additional espionage objective.",
+      "meta": {
+        "motive": "mainly financially motivated, additional espionage objective.",
+        "references": [
+          "https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "f3b7e302-152b-4c4e-85c2-82733b78d13f",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "49ca568f-b6e4-49ff-963e-796f8207d185",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "9eb2a417-2bb6-496c-816b-bccb3f3074f6",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "5c7fa5e1-352a-41c3-8e55-744e5fa88793",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "7b956ff0-9021-499c-82a4-24b958cb32d9",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "uses"
+        }
+      ],
+      "uuid": "a3c22f46-5135-4b39-a33f-92906ac12c31",
+      "value": "TA866"
     }
   ],
-  "version": 261
+  "version": 262
 }