diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index b4923fb4..84a7ea5f 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -3399,7 +3399,8 @@
           "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html",
           "https://attack.mitre.org/groups/G0037/",
           "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/",
-          "http://www.secureworks.com/research/threat-profiles/gold-franklin"
+          "http://www.secureworks.com/research/threat-profiles/gold-franklin",
+          "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/"
         ],
         "synonyms": [
           "SKELETON SPIDER",
@@ -3418,6 +3419,13 @@
             "estimative-language:likelihood-probability=\"likely\""
           ],
           "type": "similar"
+        },
+        {
+          "dest-uuid": "1cdbbcab-903a-414d-8eb0-439a97343737",
+          "tags": [
+            "estimative-language:likelihood-probability=\"almost-certain\""
+          ],
+          "type": "uses"
         }
       ],
       "uuid": "647894f6-1723-4cba-aba4-0ef0966d5302",
@@ -6711,16 +6719,6 @@
       "uuid": "6e899dd4-f95e-42a0-a5a3-e57249f017cf",
       "value": "Flash Kitten"
     },
-    {
-      "description": "According to CrowdStrike, this actor is using FrameworkPOS, potentially buying access through Dridex infections.",
-      "meta": {
-        "refs": [
-          "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/"
-        ]
-      },
-      "uuid": "998b0a78-ff3e-4928-802f-b42e3f5cf491",
-      "value": "SKELETON SPIDER"
-    },
     {
       "description": "According to CrowdStrike, this actor is using TinyLoader and TinyPOS, potentially buying access through Dridex infections.",
       "meta": {