From 64533dba9151aec36a157cb737f30a3510f41813 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Wed, 17 Apr 2024 10:09:09 -0700
Subject: [PATCH] [threat-actors] Add RUBYCARP

---
 clusters/threat-actor.json | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 9dc3366..7b3a8ad 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -15609,6 +15609,17 @@
       },
       "uuid": "20927a3f-d011-4e22-8268-0938d6816a13",
       "value": "CoralRaider"
+    },
+    {
+      "description": "RUBYCARP is a financially-motivated threat actor group likely based in Romania, with a history of at least 10 years of activity. They operate a botnet using public exploits and brute force attacks, communicating via public and private IRC networks. RUBYCARP targets vulnerabilities in frameworks like Laravel and WordPress, as well as conducting phishing operations to steal financial assets. They use a variety of tools, including the Perl Shellbot, for post-exploitation activities and have a diverse set of illicit income streams.",
+      "meta": {
+        "country": "RO",
+        "refs": [
+          "https://sysdig.com/blog/rubycarp-romanian-botnet-group/"
+        ]
+      },
+      "uuid": "2742b229-02f4-40d0-9b99-91844a2b030e",
+      "value": "RUBYCARP"
     }
   ],
   "version": 305