diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 4280c88..088da3b 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -3087,11 +3087,13 @@
       "value": "UNION SPIDER"
     },
     {
+      "description": "Andariel is a threat actor that primarily targets South Korean corporations and institutions. They are believed to collaborate with or operate as a subsidiary organization of the Lazarus threat group. WHOIS utilizes spear phishing attacks, watering hole attacks, and supply chain attacks for initial access. They have been known to exploit vulnerabilities and use malware such as Infostealer and TigerRAT.",
       "meta": {
         "attribution-confidence": "50",
         "country": "KP",
         "refs": [
-          "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf"
+          "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf",
+          "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/"
         ],
         "synonyms": [
           "OperationTroy",
@@ -3099,7 +3101,9 @@
           "GOP",
           "WHOis Team",
           "Andariel",
-          "Subgroup: Andariel"
+          "Subgroup: Andariel",
+          "Onyx Sleet",
+          "PLUTONIUM"
         ]
       },
       "uuid": "245c8dde-ed42-4c49-b48b-634e3e21bdd7",