diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 2dd3745..ec7f3cf 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -952,13 +952,16 @@
       "meta": {
         "country": "KP",
         "synonyms": [
-          "Operation DarkSeoul"
+          "Operation DarkSeoul",
+          "Hidden Cobra"
         ],
         "refs": [
-          "https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/"
+          "https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/",
+          "https://www.us-cert.gov/ncas/alerts/TA17-164A"
         ]
       },
-      "value": "Lazarus Group"
+      "value": "Lazarus Group",
+      "description": "Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Duuzer, and Hangman."
     },
     {
       "meta": {