diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 49b4085..9b80942 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -13602,6 +13602,18 @@
       },
       "uuid": "89f5a5cb-514f-46db-8959-6bb9aa991e9f",
       "value": "WildPressure"
+    },
+    {
+      "description": "The TunnelSnake campaign demonstrates the activity of a sophisticated actor that invests significant resources in designing an evasive toolset and infiltrating networks of high-profile organizations. By leveraging Windows drivers, covert communications channels and proprietary malware, the group behind it maintains a considerable level of stealth. That said, some of its TTPs, like the usage of a commodity webshell and open-source legacy code for loading unsigned drivers, may get detected and in fact were flagged by Kaspersky's product, giving them visibility into the group’s operation.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://www.redpacketsecurity.com/operation-tunnelsnake/",
+          "https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831/"
+        ]
+      },
+      "uuid": "f0bb3d3a-c012-4d12-b621-51192977f190",
+      "value": "TunnelSnake"
     }
   ],
   "version": 295