From 668fb80aec1efd0011d52aa8f669ec563fb0d766 Mon Sep 17 00:00:00 2001
From: Mathieu Beligon <mathieu@feedly.com>
Date: Wed, 6 Dec 2023 17:42:33 -0800
Subject: [PATCH] [threat-actors] Add WIP19

---
 clusters/threat-actor.json | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 2ddefc6..3e923fe 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -13671,6 +13671,17 @@
       },
       "uuid": "47739f40-c80c-435a-bedc-0d2b38e87ddc",
       "value": "AeroBlade"
+    },
+    {
+      "description": "WIP19 is a Chinese-speaking threat group involved in espionage targeting the Middle East and Asia. They utilize a stolen certificate to sign their malware, including SQLMaggie, ScreenCap, and a credential dumper. The group has been observed targeting telecommunications and IT service providers, using toolsets authored by WinEggDrop. WIP19's activities suggest they are after specific information and are part of the broader Chinese espionage landscape.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/"
+        ]
+      },
+      "uuid": "21bb2dab-4125-4ae8-8966-c7381659e180",
+      "value": "WIP19"
     }
   ],
   "version": 295