diff --git a/clusters/tool.json b/clusters/tool.json
index 9dc8241..5593653 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -4292,6 +4292,26 @@
           "https://www.bleepingcomputer.com/news/security/invisimole-is-a-complex-spyware-that-can-take-pictures-and-record-audio/"
         ]
       }
+    },
+    {
+      "uuid": "f35f219a-6eed-11e8-980a-93bb96299951",
+      "value": "Roaming Mantis",
+      "description": "Roaming Mantis malware is designed for distribution through a simple, but very efficient trick based on a technique known as DNS hijacking. When a user attempts to access any website via a compromised router, they will be redirected to a malicious website. For example, if a user were to navigate to www.securelist.com using a web browser, the browser would be redirected to a rogue server which has nothing to do with the security research blog. As long as the browser displays the original URL, users are likely to believe the website is genuine. The web page from the rogue server displays the popup message: To better experience the browsing, update to the latest chrome version.",
+      "meta": {
+        "refs": [
+          "https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/"
+        ]
+      }
+    },
+    {
+      "uuid": "7cda6406-6eef-11e8-a2ad-9340096d5711",
+      "value": "PLEAD Downloader",
+      "description": "PLEAD is referred to both as a name of malware including TSCookie and its attack campaign. PLEAD has two kinds – RAT (Remote Access Tool) and downloader. The RAT operates based on commands that are provided from C&C servers.　On the other hand, PLEAD downloader downloads modules and runs it on memory in the same way as TSCookie does.",
+      "meta": {
+        "refs": [
+          "https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html"
+        ]
+      }
     }
   ],
   "authors": [