From 837ce843448989439f6e97282a2984a7462790ef Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Thu, 1 Feb 2024 11:01:59 -0800
Subject: [PATCH] [threat-actors] Add Lilac Typhoon

---
 clusters/threat-actor.json | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 0e423a7..f451f33 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -14352,6 +14352,22 @@
       },
       "uuid": "c4132d43-2405-43ca-9940-a6f78e007861",
       "value": "Vanilla Tempest"
+    },
+    {
+      "description": "Lilac Typhoon is a threat actor attributed to China. They have been identified as exploiting the Atlassian Confluence RCE vulnerability CVE-2022-26134, which allows for remote code execution. This vulnerability has been used in cryptojacking campaigns and is included in commercial exploit frameworks. Lilac Typhoon has also been involved in deploying various payloads such as Cobalt Strike, web shells, botnets, coin miners, and ransomware.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://securityboulevard.com/2022/10/analysis-of-cisa-releases-advisory-on-top-cves-exploited-chinese-state-sponsored-groups/",
+          "https://riskybiznews.substack.com/p/risky-biz-news-google-shuts-down",
+          "https://twitter.com/MsftSecIntel/status/1535417776290111489"
+        ],
+        "synonyms": [
+          "DEV-0234"
+        ]
+      },
+      "uuid": "b80be7a7-6d06-4da7-8ae0-302a198e7c73",
+      "value": "Lilac Typhoon"
     }
   ],
   "version": 298