From 3f036db1e340ddf9506a1935796fd04d1c4c8e6d Mon Sep 17 00:00:00 2001
From: Delta-Sierra <deborah.servili@gmail.com>
Date: Thu, 18 Aug 2022 15:54:28 +0200
Subject: [PATCH] add TA558

---
 clusters/threat-actor.json | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 3ecc78b..1c7e5ed 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -9872,7 +9872,17 @@
       },
       "uuid": "d58030e2-5673-4836-9aff-ab6d55da0bc0",
       "value": "SLIME29"
+    },
+    {
+      "description": "Since 2018, security researchers tracked a financially-motivated cybercrime actor, TA558, targeting hospitality, travel, and related industries located in Latin America and sometimes North America, and western Europe. The actor sends malicious emails written in Portuguese, Spanish, and sometimes English. The emails use reservation-themed lures with business-relevant themes such as hotel room bookings. The emails may contain malicious attachments or URLs aiming to distribute one of at least 15 different malware payloads.",
+      "meta": {
+        "sources": [
+          "https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel"
+        ]
+      },
+      "uuid": "e1e70539-8916-45c2-9b01-891c1c5bd8a1",
+      "value": "TA558"
     }
   ],
-  "version": 240
+  "version": 241
 }