From 3209c45b42ae7f14fbbc682378b5c19d3661472c Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Wed, 15 Nov 2023 08:19:01 -0800
Subject: [PATCH] [threat-actors] Add KAX17

---
 clusters/threat-actor.json | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 44b90ad..c3676ff 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -12987,6 +12987,19 @@
       },
       "uuid": "111efc97-6a93-487b-8cb3-1e890ac51066",
       "value": "Bohrium"
+    },
+    {
+      "description": "KAX17 is a sophisticated threat actor that has been active since at least 2017. They have operated hundreds of malicious servers within the Tor network, primarily as entry and middle points. Their main objective appears to be collecting information on Tor users and mapping their routes within the network. Despite efforts to remove their servers, KAX17 has shown resilience and continues to operate.",
+      "meta": {
+        "refs": [
+          "https://www.malwarebytes.com/blog/news/2021/12/was-threat-actor-kax17-de-anonymizing-the-tor-network/amp",
+          "https://therecord.media/a-mysterious-threat-actor-is-running-hundreds-of-malicious-tor-relays",
+          "https://darknetlive.com/post/who-is-responsible-for-running-hundreds-of-malicious-tor-relays/",
+          "https://nusenu.medium.com/is-kax17-performing-de-anonymization-attacks-against-tor-users-42e566defce8"
+        ]
+      },
+      "uuid": "615311f0-58d4-4d1d-ac86-6ba86d119317",
+      "value": "KAX17"
     }
   ],
   "version": 294