From 83f874da2c7e94d86c13e3e4c575388634e7a8e5 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Thu, 1 Feb 2024 11:02:03 -0800
Subject: [PATCH] [threat-actors] Add LYCEUM aliases

---
 clusters/threat-actor.json | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 2b4b2c8..80fda84 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -8426,7 +8426,9 @@
       "value": "TA428"
     },
     {
+      "description": "Lyceum is an Iranian APT group that has been active since at least 2014. They primarily target Middle Eastern governments and organizations in the energy and telecommunications sectors. Lyceum is known for using cyber espionage techniques and has been linked to other Iranian threat groups such as APT34. They have developed and deployed malware families like Shark and Milan, and have been observed using DNS tunneling and HTTPfor command and control communication.",
       "meta": {
+        "country": "IR",
         "refs": [
           "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign",
           "https://www.secureworks.com/research/threat-profiles/cobalt-lyceum",
@@ -8438,7 +8440,8 @@
           "COBALT LYCEUM",
           "HEXANE",
           "Spirlin",
-          "siamesekitten"
+          "siamesekitten",
+          "Storm-0133"
         ]
       },
       "uuid": "e1b95185-8db6-4f3c-9ffd-1749087d934a",