From 775451488d3ba8b4d3111f7e1d75448ecd862d53 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Mon, 13 Nov 2023 04:36:57 -0800
Subject: [PATCH] [threat-actors] Add TAG-56

---
 clusters/threat-actor.json | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 88bff0b..8452bb8 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -12906,6 +12906,18 @@
       },
       "uuid": "7f24740c-9370-4968-a92e-667ef2591abe",
       "value": "Water Labbu"
+    },
+    {
+      "description": "TAG-56 is a threat actor group that shares similarities with the APT42 group. They use tactics such as fake registration pages and spearphishing to target victims, often using encrypted chat platforms like WhatsApp or Telegram. TAG-56 is believed to be part of a broader campaign led by an Iran-nexus threat activity group. They have been observed using shared web hosts and recycled code, indicating a preference for acquiring purpose-built infrastructure rather than establishing their own.",
+      "meta": {
+        "country": "IR",
+        "refs": [
+          "https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/",
+          "https://www.recordedfuture.com/suspected-iran-nexus-tag-56-uses-uae-forum-lure-for-credential-theft-against-us-think-tank"
+        ]
+      },
+      "uuid": "7cae7378-5595-4d1e-be63-e13216162a20",
+      "value": "TAG-56"
     }
   ],
   "version": 293