From 120f5c9b3f18381268004173e14b4dd2336905b6 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Wed, 27 Mar 2024 05:09:24 -0700
Subject: [PATCH 1/5] [threat-actors] Add Lazarus Group aliases

---
 clusters/threat-actor.json | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index b308faa..a3fedc2 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -3238,7 +3238,9 @@
           "https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/",
           "https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds",
           "https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists",
-          "https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
+          "https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html",
+          "https://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-june-2023/",
+          "https://us-cert.cisa.gov/ncas/alerts/aa21-048a"
         ],
         "synonyms": [
           "Operation DarkSeoul",
@@ -3278,7 +3280,8 @@
           "Sapphire Sleet",
           "COPERNICIUM",
           "TA404",
-          "Lazarus group"
+          "Lazarus group",
+          "BeagleBoyz"
         ]
       },
       "related": [

From ab52990840b894854bef19e6ecd354d8bff1a0c4 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Wed, 27 Mar 2024 05:09:24 -0700
Subject: [PATCH 2/5] [threat-actors] Add SilitNetwork

---
 clusters/threat-actor.json | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index a3fedc2..4ef3304 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -15463,6 +15463,16 @@
       },
       "uuid": "da89d534-5be8-414b-832c-3e9d0d66b4e0",
       "value": "Mirage Tiger"
+    },
+    {
+      "description": "SilitNetwork is a hacking group known for targeting high-profile entities, such as airlines, for various motives. They utilize sophisticated tactics to breach their targets, potentially including social engineering and exploiting software vulnerabilities. The group's attack on RwandAir highlighted the vulnerability of the aviation industry and the need for robust cybersecurity measures.",
+      "meta": {
+        "refs": [
+          "https://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats"
+        ]
+      },
+      "uuid": "a0b92be9-7b62-47df-a2e8-16211c864599",
+      "value": "SilitNetwork"
     }
   ],
   "version": 305

From 769cd4f47bb61b44895faecfcd4841a7b2bb95f8 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Wed, 27 Mar 2024 05:09:24 -0700
Subject: [PATCH 3/5] [threat-actors] Add Edalat-e Ali

---
 clusters/threat-actor.json | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 4ef3304..ec7b094 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -15473,6 +15473,19 @@
       },
       "uuid": "a0b92be9-7b62-47df-a2e8-16211c864599",
       "value": "SilitNetwork"
+    },
+    {
+      "description": "Edalat-e Ali is a hacktivist group known for disrupting Iranian state-run TV and radio transmissions during significant events, such as the Revolution Day ceremonies. They have also targeted government facilities, releasing security camera footage to expose abuses and draw attention to human rights violations. The group has used their hacks to call for protests against the Iranian regime and have displayed anti-government messages during their disruptions. Edalat-e Ali has been active in releasing sensitive information and footage to embarrass Iranian officials and highlight injustices within the country.",
+      "meta": {
+        "country": "IR",
+        "refs": [
+          "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/",
+          "https://securityaffairs.com/142172/hacktivism/iranian-state-tv-hacked.html",
+          "https://www.chronline.com/stories/a-hacking-slugfest-between-iran-and-its-foes-sparks-fears-of-a-wider-cyberwar,281423"
+        ]
+      },
+      "uuid": "1759f8f2-e6ef-4683-a9e4-44984b9deaba",
+      "value": "Edalat-e Ali"
     }
   ],
   "version": 305

From 541eb4a4a9defc23b443676cb3f863e0b6761b20 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Wed, 27 Mar 2024 05:09:24 -0700
Subject: [PATCH 4/5] [threat-actors] Add Saad Tycoon

---
 clusters/threat-actor.json | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index ec7b094..2e043cf 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -15486,6 +15486,16 @@
       },
       "uuid": "1759f8f2-e6ef-4683-a9e4-44984b9deaba",
       "value": "Edalat-e Ali"
+    },
+    {
+      "description": "Saad Tycoon is the operator and alleged developer of the Tycoon 2FA PhaaS, a phishing service that targets users for financial gain. The actor utilizes Bitcoin transactions to generate significant profits from the fraudulent service. The phishing infrastructure includes domain registration, server hosting, and possibly Cloudflare protection.",
+      "meta": {
+        "refs": [
+          "https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/"
+        ]
+      },
+      "uuid": "d9709373-7a3a-4905-8c90-ba74237e77ea",
+      "value": "Saad Tycoon"
     }
   ],
   "version": 305

From 22bea56895a65dab6011dbe35fa38962570a0df9 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Wed, 27 Mar 2024 05:09:24 -0700
Subject: [PATCH 5/5] [threat-actors] Add UNC5174

---
 clusters/threat-actor.json | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 2e043cf..2a5d7dd 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -15496,6 +15496,20 @@
       },
       "uuid": "d9709373-7a3a-4905-8c90-ba74237e77ea",
       "value": "Saad Tycoon"
+    },
+    {
+      "description": "UNC5174, a Chinese state-sponsored threat actor, has been identified by Mandiant for exploiting critical vulnerabilities in F5 BIG-IP and ScreenConnect. They have been linked to targeting research and education institutions, businesses, charities, NGOs, and government organizations in Southeast Asia, the U.S., and the UK. UNC5174 is believed to have connections to China's Ministry of State Security and has been observed using custom tooling and the SUPERSHELL framework in their operations. The actor has shown indications of transitioning from hacktivist collectives to working as a contractor for Chinese intelligence agencies.",
+      "meta": {
+        "refs": [
+          "https://rhisac.org/threat-intelligence/f5-big-ip-and-screenconnect-cves/",
+          "https://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect"
+        ],
+        "synonyms": [
+          "Uteus"
+        ]
+      },
+      "uuid": "0b158297-ee47-48ef-9346-0cb0f9cb348a",
+      "value": "UNC5174"
     }
   ],
   "version": 305