Merge pull request #978 from Mathieu4141/threat-actors/5085bb5f-2aa6-485f-8e57-389d4020b408

Add 3 actors and 1 alias
2024-05-22 06:45:37 +02:00 · 2024-05-22 06:45:37 +02:00 · 585a9714db
parent f3a145c96f 32b9051873
commit 585a9714db
1 changed files with 34 additions and 0 deletions
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -5676,6 +5676,7 @@
          "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-north-korean-apt-kimsuky-aka-black-banshee-active-iocs-29/",
          "https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/",
          "https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html",
+          "https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b",
          "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage"
        ],
        "synonyms": [
@ -15947,6 +15948,39 @@
      },
      "uuid": "19ddf2b0-9cfb-430f-8919-49205cbec863",
      "value": "Water Orthrus"
+    },
+    {
+      "description": "PhantomCore is a threat actor group known for using a remote access malware called PhantomRAT. They have been observed executing malicious code through specially crafted RAR archives, different from previous attacks exploiting vulnerabilities. The attribution of their campaign to Ukraine is uncertain due to limited visibility inside Russian networks. PhantomCore's use of RAR archives in their attack chain has been previously observed in other threat actor groups like Forest Blizzard.",
+      "meta": {
+        "refs": [
+          "https://therecord.media/russian-researchers-winrar-bug-ukraine-espionage",
+          "https://www.facct.ru/blog/phantomdl-loader"
+        ]
+      },
+      "uuid": "485947c7-edb6-4a07-9276-2114dc767551",
+      "value": "PhantomCore"
+    },
+    {
+      "description": "CiberInteligenciaSV is a threat actor that leaked 5.1 million Salvadoran records on Breach Forums. They have also compromised El Salvador's state Bitcoin wallet, Chivo, leaking its source code and VPN credentials. The group aims to obscure their involvement by associating with the Guacamaya group and its proxies.",
+      "meta": {
+        "refs": [
+          "https://securityaffairs.com/162790/data-breach/el-salvador-massive-leak-biometric-data.html",
+          "https://www.cysecurity.news/2024/04/cryptocurrency-chaos-el-salvadors.html"
+        ]
+      },
+      "uuid": "0558bc64-21d9-43e4-8b12-18172d9b5c7d",
+      "value": "CiberInteligenciaSV"
+    },
+    {
+      "description": "Void Manticore is an Iranian APT group affiliated with MOIS, known for conducting destructive wiping attacks and influence operations. They collaborate with Scarred Manticore, sharing targets and conducting disruptive operations using custom wipers. Void Manticore's TTPs involve manual file deletion, lateral movement via RDP, and the deployment of custom wipers like the BiBi wiper. The group utilizes online personas like 'Karma' and 'Homeland Justice' to leak information and amplify the impact of their attacks.",
+      "meta": {
+        "country": "IR",
+        "refs": [
+          "https://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel/"
+        ]
+      },
+      "uuid": "53ac2695-35ba-4ab2-a5cd-48ca533f1b72",
+      "value": "Void Manticore"
    }
  ],
  "version": 309