From 22046a1eae95582b1d26425240bed288928e888a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=BCrgen=20L=C3=B6hel?= <juergen.loehel@inlyse.com>
Date: Tue, 18 Jan 2022 13:16:06 -0600
Subject: [PATCH 1/2] Adds WhisperGate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jürgen Löhel <juergen.loehel@inlyse.com>
---
 clusters/ransomware.json | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index 080a0f25..539bf912 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -24211,7 +24211,20 @@
       },
       "uuid": "fe7e4df0-97b9-4dd2-b3f8-79404fc8272d",
       "value": "Ragnarok"
+    },
+    {
+      "description": "Destructive malware deployed against targets in Ukraine in January 2022.",
+      "meta": {
+        "date": "January 2022",
+        "refs": [
+          "https://malpedia.caad.fkie.fraunhofer.de/details/win.whispergate",
+          "https://www.cadosecurity.com/resources-for-dfir-professionals-responding-to-whispergate-malware/",
+          "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"
+        ]
+      },
+      "uuid": "feb5fa26-bad4-46da-921d-986d2fd81a40",
+      "value": "WhisperGate"
     }
   ],
-  "version": 98
+  "version": 99
 }

From 1fda357a0390aefb07858c61fd0e8b177f9c7619 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Sun, 30 Jan 2022 11:31:55 +0100
Subject: [PATCH 2/2] new: [surveillance] Cytrox added

---
 clusters/surveillance-vendor.json | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/clusters/surveillance-vendor.json b/clusters/surveillance-vendor.json
index d7875c3c..e8dc8920 100644
--- a/clusters/surveillance-vendor.json
+++ b/clusters/surveillance-vendor.json
@@ -180,7 +180,24 @@
       },
       "uuid": "f49bf1b6-e257-4ffc-b5ac-f0e26ef36965",
       "value": "SpyBubble"
+    },
+    {
+      "description": "Cytrox’s Israeli companies were founded in 2017 as Cytrox EMEA Ltd. and Cytrox Software Ltd. Perhaps taking a page from Candiru’s corporate obfuscation playbook, both of those companies were renamed in 2019 to Balinese Ltd. and Peterbald Ltd., respectively. We also observed one entity in Hungary, Cytrox Holdings Zrt, which was also formed in 2017.",
+      "meta": {
+        "refs": [
+          "https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/"
+        ],
+        "synonyms": [
+          "Cytrox EMEA Ltd.",
+          "Cytrox Software Ltd.",
+          "Balinese Ltd.",
+          "Peterbald Ltd.",
+          "Cytrox Holdings Zrt"
+        ]
+      },
+      "uuid": "4dbfa61e-0cf5-4142-babf-3cdce348568d",
+      "value": "Cytrox"
     }
   ],
-  "version": 1
+  "version": 2
 }