From 64904242014ca5d337f319e7a4a48a5b8cdbd6ac Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Wed, 20 Mar 2024 10:23:42 -0700
Subject: [PATCH] [threat-actors] Add UNC5325

---
 clusters/threat-actor.json | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index ba92366..39c195c 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -15340,6 +15340,17 @@
       },
       "uuid": "69a944ef-4962-432e-a1b9-575b646ee2ed",
       "value": "R00tK1T"
+    },
+    {
+      "description": "UNC5325 is a suspected Chinese cyber espionage operator that exploited CVE-2024-21893 to compromise Ivanti Connect Secure appliances. UNC5325 leveraged code from open-source projects, installed custom malware, and modified the appliance's settings in order to evade detection and attempt to maintain persistence. UNC5325 has been observed deploying LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK. Mandiant identified TTPs and malware code overlaps in LITTLELAMB.WOOLTEA and PITHOOK with malware leveraged by UNC3886. Mandiant assesses with moderate confidence that UNC5325 is associated with UNC3886.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence"
+        ]
+      },
+      "uuid": "ffb28c09-16a6-483a-817a-89c89751c9d4",
+      "value": "UNC5325"
     }
   ],
   "version": 304