From 44c270e9dcf40eb7c712cf81eb3f193b282fe10d Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Fri, 1 Dec 2023 16:21:53 -0800
Subject: [PATCH] [threat-actors] Add ScamClub

---
 clusters/threat-actor.json | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 9b80942..8b56512 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -13614,6 +13614,17 @@
       },
       "uuid": "f0bb3d3a-c012-4d12-b621-51192977f190",
       "value": "TunnelSnake"
+    },
+    {
+      "description": "ScamClub is a threat actor involved in malvertising activities since 2018. They target the Mobile Web market segment, particularly on iOS devices, where security software is often lacking. ScamClub utilizes obfuscation techniques and real-time bidding integration with ad exchanges to push malicious JavaScript payloads, leading to forced redirects and various scams such as phishing and gift card scams.",
+      "meta": {
+        "refs": [
+          "https://blog.confiant.com/exploring-scamclub-payloads-via-deobfuscation-using-abstract-syntax-trees-65ef7f412537",
+          "https://www.malwarebytes.com/blog/threat-intelligence/2023/11/associated-press-espn-cbs-among-top-sites-serving-fake-virus-alerts"
+        ]
+      },
+      "uuid": "dae45b1c-f957-4242-aa5b-f36b08994bad",
+      "value": "ScamClub"
     }
   ],
   "version": 295