[threat-actors] Add Mustard Tempest

2024-02-01 11:01:57 -08:00 · 2024-02-01 11:01:57 -08:00 · 4388309aa0
parent 05cf259436
commit 4388309aa0
1 changed files with 15 additions and 0 deletions
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -14227,6 +14227,21 @@
      },
      "uuid": "fa76ce6a-f434-4d4a-817f-c4bd0a3f803c",
      "value": "Carmine Tsunami"
+    },
+    {
+      "description": "Mustard Tempest is a threat actor that primarily uses malvertising as their main technique to gain access to and profile networks. They deploy FakeUpdates, disguised as browser updates or software packages, to lure targets into downloading a ZIP file containing a JavaScript file. Once executed, the JavaScript framework acts as a loader for other malware campaigns, often Cobalt Strike payloads. Mustard Tempest has been associated with the cybercrime syndicate Mustard Tempest, also known as EvilCorp, and has been involved in ransomware attacks using payloads such as WastedLocker, PhoenixLocker, and Macaw.",
+      "meta": {
+        "refs": [
+          "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/",
+          "http://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/"
+        ],
+        "synonyms": [
+          "DEV-0206",
+          "Purple Vallhund"
+        ]
+      },
+      "uuid": "3ce9610b-2435-4c41-80d1-3f95a5ff2984",
+      "value": "Mustard Tempest"
    }
  ],
  "version": 298