diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 31ea079..2b2101f 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -14035,7 +14035,14 @@
       "meta": {
         "country": "CN",
         "refs": [
-          "https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/"
+          "https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/",
+          "https://www.rewterz.com/rewterz-news/rewterz-threat-advisory-ivanti-vpn-zero-days-weaponized-by-unc5221-threat-actors-to-deploy-multiple-malware-families-active-iocs/",
+          "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day",
+          "https://quointelligence.eu/2024/01/unc5221-unreported-and-undetected-wirefire-web-shell-variant/",
+          "https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/"
+        ],
+        "synonyms": [
+          "UNC5221"
         ]
       },
       "uuid": "f288f686-b5b3-4c86-9960-5f8fb18709a3",