diff --git a/elements/threat-actor-tools.json b/elements/threat-actor-tools.json
index 90f5afa..66bffc5 100644
--- a/elements/threat-actor-tools.json
+++ b/elements/threat-actor-tools.json
@@ -73,7 +73,12 @@
       "value": "NETEAGLE"
     },
     {
-      "value": "Agent.BTZ"
+      "value": "Agent.BTZ",
+      "synonyms": ["ComRat"]
+    },
+    {
+      "value": "Heseber BOT",
+      "description": "RAT bundle with standard VNC (to avoid/limit A/V detection)."
     },
     {
       "value": "Agent.dne"
@@ -90,6 +95,14 @@
     {
       "value": "Winexe"
     },
+    {
+      "value": "Dark Comet",
+      "description": "RAT initialy identified in 2011 and still actively used."
+    },
+    {
+      "value": "AlienSpy",
+      "description": "RAT for Apple OS X platforms"
+    },
     {
       "value": "CORESHELL"
     },
@@ -103,7 +116,13 @@
       "value": "OLDBAIT"
     },
     {
-      "value": "Havex RAT"
+      "value": "Havex RAT",
+      "synonyms": ["Havex"]
+    },
+    {
+      "value": "KjW0rm",
+      "description": "RAT initially written in VB.",
+      "refs": ["https://www.sentinelone.com/blog/understanding-kjw0rm-malware-we-dive-in-to-the-tv5-cyber-attack/"]
     },
     {
       "value": "LURK"