From 6c2cb8979fc30cc7e6161d72132801b37af3c5bd Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Fri, 1 Dec 2023 16:21:53 -0800
Subject: [PATCH 1/3] [threat-actors] Add TunnelSnake

---
 clusters/threat-actor.json | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 49b4085..9b80942 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -13602,6 +13602,18 @@
       },
       "uuid": "89f5a5cb-514f-46db-8959-6bb9aa991e9f",
       "value": "WildPressure"
+    },
+    {
+      "description": "The TunnelSnake campaign demonstrates the activity of a sophisticated actor that invests significant resources in designing an evasive toolset and infiltrating networks of high-profile organizations. By leveraging Windows drivers, covert communications channels and proprietary malware, the group behind it maintains a considerable level of stealth. That said, some of its TTPs, like the usage of a commodity webshell and open-source legacy code for loading unsigned drivers, may get detected and in fact were flagged by Kaspersky's product, giving them visibility into the group’s operation.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://www.redpacketsecurity.com/operation-tunnelsnake/",
+          "https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831/"
+        ]
+      },
+      "uuid": "f0bb3d3a-c012-4d12-b621-51192977f190",
+      "value": "TunnelSnake"
     }
   ],
   "version": 295

From 44c270e9dcf40eb7c712cf81eb3f193b282fe10d Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Fri, 1 Dec 2023 16:21:53 -0800
Subject: [PATCH 2/3] [threat-actors] Add ScamClub

---
 clusters/threat-actor.json | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 9b80942..8b56512 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -13614,6 +13614,17 @@
       },
       "uuid": "f0bb3d3a-c012-4d12-b621-51192977f190",
       "value": "TunnelSnake"
+    },
+    {
+      "description": "ScamClub is a threat actor involved in malvertising activities since 2018. They target the Mobile Web market segment, particularly on iOS devices, where security software is often lacking. ScamClub utilizes obfuscation techniques and real-time bidding integration with ad exchanges to push malicious JavaScript payloads, leading to forced redirects and various scams such as phishing and gift card scams.",
+      "meta": {
+        "refs": [
+          "https://blog.confiant.com/exploring-scamclub-payloads-via-deobfuscation-using-abstract-syntax-trees-65ef7f412537",
+          "https://www.malwarebytes.com/blog/threat-intelligence/2023/11/associated-press-espn-cbs-among-top-sites-serving-fake-virus-alerts"
+        ]
+      },
+      "uuid": "dae45b1c-f957-4242-aa5b-f36b08994bad",
+      "value": "ScamClub"
     }
   ],
   "version": 295

From 0391d3f3a53bbd2d3ae101b1121b20590b9b92a6 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Fri, 1 Dec 2023 16:21:53 -0800
Subject: [PATCH 3/3] [threat-actors] Add Daixin Team

---
 clusters/threat-actor.json | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 8b56512..26a0384 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -13625,6 +13625,20 @@
       },
       "uuid": "dae45b1c-f957-4242-aa5b-f36b08994bad",
       "value": "ScamClub"
+    },
+    {
+      "description": "Daixin is a threat actor group that has been active since at least June 2022. They primarily target the healthcare and public health sector with ransomware attacks, stealing sensitive data and threatening to release it if a ransom is not paid. They have successfully targeted various industries, including healthcare, aerospace, automotive, and packaged foods. Daixin gains initial access through VPN servers and exploits vulnerabilities or uses phishing attacks to obtain credentials. They have been responsible for cyberattacks on organizations such as the North Texas Municipal Water District and TransForm Shared Service Org, impacting their networks and stealing customer and patient information.",
+      "meta": {
+        "refs": [
+          "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-294a",
+          "https://www.mycert.org.my/portal/details?menu=431fab9c-d24c-4a27-ba93-e92edafdefa5&id=467c2374-9c18-4fb0-b5a7-155dfca4d611",
+          "https://www.databreaches.net/b-files-leaked/",
+          "https://titaniam.io/ransomware-prevention-daixin-team-ransomware-group/",
+          "https://www.databreaches.net/update-daixin-leaks-more-data-from-bluewater-health-and-other-hospitals-databases-yet-to-be-leaked/"
+        ]
+      },
+      "uuid": "5e32baed-f4b5-4149-8540-7515ad8c4dc0",
+      "value": "Daixin Team"
     }
   ],
   "version": 295