From 3bdbd6646b68cd188f579e3a2bc414c78b65caeb Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Thu, 17 Jan 2019 09:44:09 +0100
Subject: [PATCH] add Cold River Threat actor

---
 clusters/threat-actor.json | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 79f0997..0e62491 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -6179,7 +6179,21 @@
       },
       "uuid": "d8e1762a-0063-48c2-9ea1-8d176d14b70f",
       "value": "STARDUST CHOLLIMA"
+    },
+    {
+      "description": "In short, “Cold River” is a sophisticated threat (actor) that utilizes DNS subdomain hijacking, certificate spoofing, and covert tunneled command and control traffic in combination with complex and convincing lure documents and custom implants.",
+      "meta": {
+        "refs": [
+          "https://www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/"
+        ],
+        "synonyms": [
+          "Nahr Elbard",
+          "Nahr el bared"
+        ]
+      },
+      "uuid": "7d99d2f7-adf0-44e4-9044-d18ff6842a16",
+      "value": "Cold River"
     }
   ],
-  "version": 86
+  "version": 87
 }