diff --git a/clusters/rat.json b/clusters/rat.json
index 21c9776..94741c6 100644
--- a/clusters/rat.json
+++ b/clusters/rat.json
@@ -2,7 +2,7 @@
   "uuid": "312f8714-45cb-11e7-b898-135207cdceb9",
   "name": "RAT",
   "source": "MISP Project",
-  "version": 9,
+  "version": 10,
   "values": [
     {
       "meta": {
@@ -2490,6 +2490,16 @@
       "description": "Classic RAT that can download, upload, execute commands on the victim host and perform keylogging. However, the command and control (C2) infrastructure is very specific. It uses the legitimate Naver email platform in order to communicate with the attackers via email",
       "value": "NavRAT",
       "uuid": "6ea032a0-d54a-463b-b016-2b7b9b9a5b7e"
+    },
+    {
+      "meta": {
+        "refs": [
+          "https://www.us-cert.gov/ncas/alerts/TA18-149A"
+        ]
+      },
+      "description": "Joanap is a two-stage malware used to establish peer-to-peer communications and to manage botnets designed to enable other operations. Joanap malware provides HIDDEN COBRA actors with the ability to exfiltrate data, drop and run secondary payloads, and initialize proxy communications on a compromised Windows device. ",
+      "value": "joanap",
+      "uuid": "caac1aa2-6982-11e8-8107-a331ae3511e7"
     }
   ],
   "authors": [