diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2dd37453..ec7f3cf6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -952,13 +952,16 @@ "meta": { "country": "KP", "synonyms": [ - "Operation DarkSeoul" + "Operation DarkSeoul", + "Hidden Cobra" ], "refs": [ - "https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/" + "https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/", + "https://www.us-cert.gov/ncas/alerts/TA17-164A" ] }, - "value": "Lazarus Group" + "value": "Lazarus Group", + "description": "Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Duuzer, and Hangman." }, { "meta": {