diff --git a/clusters/botnet.json b/clusters/botnet.json
index 10a50db..aed6269 100644
--- a/clusters/botnet.json
+++ b/clusters/botnet.json
@@ -541,6 +541,16 @@
         ]
       },
       "uuid": "383fd414-3805-11e8-ac12-c7b5af38ff67"
+    },
+    {
+      "value": "Muhstik",
+      "description": "The botnet is exploiting the CVE-2018-7600 vulnerability —also known as Drupalgeddon 2— to access a specific URL and gain the ability to execute commands on a server running the Drupal CMS.\nAt the technical level, Netlab says Muhstik is built on top of Tsunami, a very old strain of malware that has been used for years to create botnets by infecting Linux servers and smart devices running Linux-based firmware.\nCrooks have used Tsunami initially for DDoS attacks, but its feature-set has greatly expanded after its source code leaked online.\nThe Muhstik version of Tsunami, according to a Netlab report published today, can launch DDoS attacks, install the XMRig Monero miner, or install the CGMiner to mine Dash cryptocurrency on infected hosts. Muhstik operators are using these three payloads to make money via the infected hosts.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/big-iot-botnet-starts-large-scale-exploitation-of-drupalgeddon-2-vulnerability/"
+        ]
+      },
+      "uuid": "8364b00c-46c6-11e8-a78e-9bcc5609574f"
     }
   ],
   "name": "Botnet",
@@ -551,5 +561,5 @@
   ],
   "description": "botnet galaxy",
   "uuid": "a91732f4-164a-11e8-924a-ffd4097eb03f",
-  "version": 2
+  "version": 3
 }