diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 59565d4..1cabb7a 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -14280,6 +14280,20 @@
       },
       "uuid": "062938a2-6fa1-4217-ad73-f5e0b5186966",
       "value": "Caramel Tsunami"
+    },
+    {
+      "description": "Storm-0867 is a threat actor that has been active since 2012 and has targeted various industries and regions. They employ sophisticated phishing campaigns, utilizing social engineering techniques and a phishing as a service platform called Caffeine. Their attacks involve intercepting and manipulating communication between users and legitimate services, allowing them to steal passwords, hijack sign-in sessions, bypass multifactor authentication, and modify authentication methods.",
+      "meta": {
+        "country": "EG",
+        "refs": [
+          "https://techcommunity.microsoft.com/t5/microsoft-security-experts-blog/defender-experts-chronicles-a-deep-dive-into-storm-0867/ba-p/3911769"
+        ],
+        "synonyms": [
+          "DEV-0867"
+        ]
+      },
+      "uuid": "dc1d0202-8976-4d15-810d-4af0feff6af9",
+      "value": "Storm-0867"
     }
   ],
   "version": 298