From 8c1583b962aaca86c5afa346b9e2e358b1b5fc19 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Mon, 15 Jan 2018 14:44:36 +0100
Subject: [PATCH] add travle/PYLOT

---
 clusters/tool.json | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index a3811de..386fb84 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -10,7 +10,7 @@
   ],
   "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
   "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
-  "version": 47,
+  "version": 48,
   "values": [
     {
       "meta": {
@@ -3326,6 +3326,18 @@
           "https://objective-see.com/blog/blog_0x25.html"
         ]
       }
+    },
+    {
+      "value": "Travle",
+      "description": "The Travle sample found during our investigation was a DLL with a single exported function (MSOProtect). The malware name Travle was chosen given a string found in early samples of this family: “Travle Path Failed!”. This typo was replaced with correct word “Travel” in newer releases. We believe that Travle could be a successor to the NetTraveler family.",
+      "meta": {
+        "refs": [
+          "https://securelist.com/travle-aka-pylot-backdoor-hits-russian-speaking-targets/83455/"
+        ],
+        "synonyms": [
+          "PYLOT"
+        ]
+      }
     }
   ]
 }