diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json
index f17bf7b..862843b 100755
--- a/clusters/exploit-kit.json
+++ b/clusters/exploit-kit.json
@@ -116,6 +116,16 @@
         "status": "Active"
       }
     },
+  {
+      "value": "ThreadKit",
+      "description": "ThreadKit is the name given to a widely used Microsoft Office document exploit builder kit that appeared in June 2017",
+      "meta": {
+        "refs": [
+          "https://www.proofpoint.com/us/threat-insight/post/unraveling-ThreadKit-new-document-exploit-builder-distribute-The-Trick-Formbook-Loki-Bot-malware"
+        ],
+        "status": "Active"
+      }
+    },
     {
       "value": "RIG",
       "description": "RIG is an exploit kit that takes its source in Infinity EK itself an evolution of Redkit. It became dominant after the fall of Angler, Nuclear Pack and the end of public access to Neutrino. RIG-v is the name given to RIG 4 when it was only accessible by \"vip\" customers and when RIG 3 was still in use.",