add DDG botnet and more

clusters/botnet.json

@@ -1197,6 +1197,45 @@
       },
       "uuid": "099223a1-4a6e-4024-8e48-dbe199ec7244",
       "value": "UPAS-Kit"
+    },
+    {
+      "description": "Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.",
+      "meta": {
+        "refs": [
+          "https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex"
+        ],
+        "synonyms": [
+          "Trik"
+        ]
+      },
+      "uuid": "26339b2e-7d82-4844-a9f0-81b0dd85e37c",
+      "value": "Phorpiex"
+    },
+    {
+      "description": "First activity observed in October 2017. DDG is a botnet with P2P capability that is targeting crypto currency mining (Monero).",
+      "meta": {
+        "refs": [
+          "https://twitter.com/JiaYu_521/status/1204248344043778048",
+          "https://twitter.com/JiaYu_521/status/1204248344043778048",
+          "https://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/",
+          "https://blog.netlab.360.com/ddg-botnet-round-x-is-there-an-ending/",
+          "https://blog.netlab.360.com/threat-alert-ddg-3013-is-out/",
+          "https://blog.netlab.360.com/old-botnets-never-die-and-ddg-refuse-to-fade-away/",
+          "https://blog.netlab.360.com/ddg-mining-botnet-jin-qi-huo-dong-fen-xi/",
+          "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ddg"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "5c42585b-ea92-4fe2-8a79-bb47a3df67ad",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        }
+      ],
+      "uuid": "25a745c8-0d2a-40e1-9bb2-3704d1bd49e3",
+      "value": "DDG"
     }
   ],
   "version": 23

clusters/malpedia.json

@@ -3032,6 +3032,15 @@
         "synonyms": [],
         "type": []
       },
+      "related": [
+        {
+          "dest-uuid": "25a745c8-0d2a-40e1-9bb2-3704d1bd49e3",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        }
+      ],
       "uuid": "5c42585b-ea92-4fe2-8a79-bb47a3df67ad",
       "value": "DDG"
     },

clusters/threat-actor.json

@@ -6157,12 +6157,16 @@
         "refs": [
           "https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/",
           "https://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia",
-          "https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/"
+          "https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/",
+          "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/",
+          "https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-investigates-donot-team-cyberespionage-targeting-military-governments-in-south-asia/",
+          "https://github.com/eset/malware-ioc/tree/master/donot"
         ],
         "synonyms": [
           "DoNot Team",
           "Donot Team",
-          "APT-C-35"
+          "APT-C-35",
+          "SectorE02"
         ]
       },
       "uuid": "b9dc4e81-909f-4324-8b25-a0f359cd88e0",