diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 4ef2ac3..0fc7a86 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -12463,6 +12463,18 @@
       },
       "uuid": "64234b2e-0c78-466d-8253-0df339f99f5f",
       "value": "REF5961"
+    },
+    {
+      "description": "A group monitored as REF2924 by Elastic Security Labs is wielding novel data-stealing malware — an HTTP listener written in C# dubbed Naplistener by the researchers — in attacks against victims operating in southern and southeast Asia.According to a blog post by Elastic senior security research engineer Remco Sprooten, in that region of the world, network-based detection and prevention technologies are the de facto method for securing many environments.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://www.elastic.co/security-labs/ref2924-howto-maintain-persistence-as-an-advanced-threat",
+          "https://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set"
+        ]
+      },
+      "uuid": "c46ed7e9-3949-4c57-ab14-177d88f27e2c",
+      "value": "REF2924"
     }
   ],
   "version": 289