From 6f3b85399b7858a60fed2ca3201caa933bb00f9a Mon Sep 17 00:00:00 2001
From: Mathieu Beligon <mathieu@feedly.com>
Date: Wed, 6 Dec 2023 17:59:16 -0800
Subject: [PATCH] [threat-actors] jq

---
 clusters/threat-actor.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 09fa9a8..b7434c9 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -11187,6 +11187,7 @@
     {
       "description": "ROMCOM is an evolving and sophisticated threat actor group that has been using the malware tool ROMCOM for espionage and financially motivated attacks. They have targeted organizations in Ukraine and NATO countries, including military personnel, government agencies, and political leaders. The ROMCOM backdoor is capable of stealing sensitive information and deploying other malware, showcasing the group's adaptability and growing sophistication.",
       "meta": {
+        "country": "RU",
         "refs": [
           "https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass",
           "https://blogs.blackberry.com/en/2022/10/unattributed-romcom-threat-actor-spoofing-popular-apps-now-hits-ukrainian-militaries",
@@ -11195,7 +11196,6 @@
           "https://blogs.blackberry.com/en/2023/07/decoding-romcom-behaviors-and-opportunities-for-detection",
           "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html"
         ],
-        "country": "RU",
         "synonyms": [
           "Storm-0978"
         ]