From 6f61a3fc3e2dbe9d74b20ba644fad7e0d94396b1 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Thu, 1 Feb 2024 11:02:03 -0800
Subject: [PATCH] [threat-actors] Add Storm-1084

---
 clusters/threat-actor.json | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index fbb23b77..2b4b2c8c 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -14540,6 +14540,21 @@
       },
       "uuid": "0876c327-c82a-45f7-82fa-267c312ceb05",
       "value": "Pink Sandstorm"
+    },
+    {
+      "description": "Storm-1084 is a threat actor that has been observed collaborating with the MuddyWater group. They have used the DarkBit persona to mask their involvement in targeted attacks. Storm-1084 has been linked to destructive actions, including the encryption of on-premise devices and deletion of cloud resources. They have been observed using tools such as Rport, Ligolo, and a customized PowerShell backdoor. The extent of their autonomy or collaboration with other Iranian threat actors is currently unclear.",
+      "meta": {
+        "country": "IR",
+        "refs": [
+          "https://circleid.com/posts/20230824-signs-of-muddywater-developments-found-in-the-dns",
+          "https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/"
+        ],
+        "synonyms": [
+          "DEV-1084"
+        ]
+      },
+      "uuid": "2cc32087-f242-4091-8634-4554635b7a58",
+      "value": "Storm-1084"
     }
   ],
   "version": 298