From 4388309aa06024efd674db5c792aa6ba9b78b5ce Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Thu, 1 Feb 2024 11:01:57 -0800
Subject: [PATCH] [threat-actors] Add Mustard Tempest

---
 clusters/threat-actor.json | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 6120a0f..67981ac 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -14227,6 +14227,21 @@
       },
       "uuid": "fa76ce6a-f434-4d4a-817f-c4bd0a3f803c",
       "value": "Carmine Tsunami"
+    },
+    {
+      "description": "Mustard Tempest is a threat actor that primarily uses malvertising as their main technique to gain access to and profile networks. They deploy FakeUpdates, disguised as browser updates or software packages, to lure targets into downloading a ZIP file containing a JavaScript file. Once executed, the JavaScript framework acts as a loader for other malware campaigns, often Cobalt Strike payloads. Mustard Tempest has been associated with the cybercrime syndicate Mustard Tempest, also known as EvilCorp, and has been involved in ransomware attacks using payloads such as WastedLocker, PhoenixLocker, and Macaw.",
+      "meta": {
+        "refs": [
+          "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/",
+          "http://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/"
+        ],
+        "synonyms": [
+          "DEV-0206",
+          "Purple Vallhund"
+        ]
+      },
+      "uuid": "3ce9610b-2435-4c41-80d1-3f95a5ff2984",
+      "value": "Mustard Tempest"
     }
   ],
   "version": 298