Merge pull request #1033 from Mathieu4141/threat-actors/fa9e8f7c-83a4-4b9d-bfba-b8d52f1db99f

[threat actors] Add 10 actors
2024-11-13 10:51:40 +01:00 · 2024-11-13 10:51:40 +01:00 · 871ac195ef
parent 0cd8b6f325 344e8cc4fd
commit 871ac195ef
2 changed files with 121 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -599,7 +599,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements
 [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
-Category: *actor* - source: *MISP Project* - total: *764* elements
+Category: *actor* - source: *MISP Project* - total: *774* elements
 [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -17260,6 +17260,126 @@
      ],
      "uuid": "75d2d875-6e49-4152-b055-62337b0a22df",
      "value": "Operation Cobalt Whisper"
    },
    {
      "description": "EvilWeb is a pro-Russian hacktivist group created in March 2024 that targets American and European entities using a hack-and-leak method alongside DDoS attacks. The group claims to have obtained data from various high-profile American organizations. EvilWeb announced its participation in the #FreeDurov operation on August 25, 2024, and began executing DDoS and hacking attacks. As of September 3, 2024, their Telegram channel has 1,146 members.",
      "meta": {
        "country": "RU",
        "refs": [
          "https://blog.checkpoint.com/security/hacktivists-call-for-release-of-telegram-founder-with-freedurov-ddos-campaign/"
        ]
      },
      "uuid": "c8ade1b0-befd-490e-8888-656dffee4d1c",
      "value": "EvilWeb"
    },
    {
      "description": "EvilByte is a hacktivist group that has conducted several high-profile cyber attacks in 2024, including breaching MyFatoorah's banking system in retaliation against Saudi media 1 and targeting Radio 10 Rosario in Argentina 2. The group has also claimed responsibility for breaching Israeli government websites and leaking data of government employees and intelligence agencies 4.\n\n",
      "meta": {
        "refs": [
          "https://www.cyfirma.com/research/hamas-leadership-assassination-explainer/",
          "https://x.com/MonThreat/status/1851901195201163720",
          "https://x.com/MonThreat/status/1821478543001293136"
        ]
      },
      "uuid": "fa65c8b2-50ce-4dea-86a3-8c6b960ce1dd",
      "value": "Evilbyte"
    },
    {
      "description": "The Toxcar Cyber Team has claimed responsibility for a data leak involving Mastercard, asserting that the attack targeted the U.S. site and providing screenshots as purported evidence. They have also been linked to the sale of an undetectable ransomware designed to bypass major antivirus software. Additionally, the group has shared the source code of Elusive Stealer, a data theft malware. Their activities highlight a focus on data breaches and malware distribution within the cyber threat landscape.",
      "meta": {
        "refs": [
          "https://socradar.io/mastercard-data-leak-new-fully-undetectable-ransomware-elusive-stealer-source-code-leak-and-more/"
        ]
      },
      "uuid": "8a67a86f-48d2-4dd0-824c-22fcfa9bf09d",
      "value": "TOXCAR CYBER TEAM"
    },
    {
      "description": "SYLHET GANG-SG is a hacktivist group that has targeted critical infrastructure and various entities, including the Central European University and the EU Parliament, often articulating their rationale for attacks. They have been involved in DDoS attacks against Western targets, including the personal website of UK Prime Minister Sunak and the Cyprus police. The group has also declared allegiance to the KillNet 2.0 hacker collective, focusing on threats against allies of Israel.",
      "meta": {
        "refs": [
          "https://blog.checkpoint.com/security/evolving-cyber-dynamics-amidst-the-israel-hamas-conflict/",
          "https://thecyberexpress.com/killnet-2-0-and-sylhet-gang-hackers/"
        ]
      },
      "uuid": "4f356e2b-8988-4d6b-84e8-d4362764aea0",
      "value": "SYLHET GANG-SG"
    },
    {
      "description": "SpaceBears is a ransomware group believed to be based in Moscow, Russia, that has taken credit for several high-profile cyberattacks while primarily operating as a Data Broker. They currently list eight organizations on their Data Leak Site, focusing on medium to small-sized targets. Their methods suggest a reliance on basic extortion strategies rather than sophisticated malware tactics, with no advanced techniques or indicators of ransomware detected.",
      "meta": {
        "country": "RU",
        "refs": [
          "https://socradar.io/dark-web-profile-spacebears/"
        ]
      },
      "uuid": "9900e010-f7ca-4354-b969-a5cd2b02f9d3",
      "value": "SpaceBears"
    },
    {
      "description": "Nam3L3ss is a threat actor who has leaked data from 25 companies, including over 2.8 million lines of Amazon employee data, which was confirmed to be stolen from a third-party service provider. The actor is distributing this data on BreachForums and claims to have numerous unreleased datasets.",
      "meta": {
        "refs": [
          "https://databreaches.net/2024/11/12/amazon-confirms-employee-data-breach-after-vendor-hack/"
        ]
      },
      "uuid": "4251393d-b7a4-4b23-b65a-2b7e8e4d63de",
      "value": "Nam3L3ss"
    },
    {
      "description": "FrostyNeighbor is a Belarus-aligned APT group known for conducting influence and disinformation campaigns, particularly targeting Ukraine, Poland, and Lithuania. They have compromised various governmental and private sector entities, including the Polish Anti-Doping Agency, through hack-and-leak operations. The group is believed to collaborate with initial access brokers to exploit high-value targets, utilizing techniques such as zero-day vulnerabilities. Their operations are linked to cyber-enabled disinformation campaigns critical of the North Atlantic Alliance.",
      "meta": {
        "country": "BY",
        "refs": [
          "https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-apt-activity-report-q2-2024-q3-2024.pdf"
        ]
      },
      "uuid": "ca448608-83fa-467d-8637-1cf004fd8e8a",
      "value": "FrostyNeighbor"
    },
    {
      "description": "TStark is a threat actor identified by X-Ops, associated with a cluster of devices that executed the bookmark buffer overflow exploit targeting CVE-2020-15069 (T1203). The actor exhibited odd telemetry behavior indicative of intermittent VPN usage, switching between IP addresses geolocated to Hong Kong and Chengdu. Analysis revealed malware samples for Mac OS X and iOS, as well as IFRAME injection code exploiting a WebAssembly vulnerability (T1189). Additionally, TStark was linked to the development of libsophos.so and the deployment of malicious payloads across their devices.",
      "meta": {
        "country": "CN",
        "refs": [
          "https://news.sophos.com/en-us/2024/10/31/pacific-rim-timeline/"
        ]
      },
      "uuid": "7c1af433-bde1-4c35-85d3-e951b5020187",
      "value": "Tstark"
    },
    {
      "description": "WageMole is a North Korean state-sponsored APT that employs social engineering and technology to secure remote job opportunities in Western countries, leveraging stolen personal data from the Contagious Interview campaign. Threat actors create fake identities, including passports and driver's licenses, and prepare study guides for interviews, often utilizing generative AI for well-structured responses. They target small to mid-sized businesses and utilize job platforms like Upwork and Indeed, while employing automation scripts for account creation. WageMole's activities include sharing code within their group and requesting payments through platforms like PayPal to conceal their identity.",
      "meta": {
        "country": "KP",
        "refs": [
          "https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/",
          "https://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west"
        ]
      },
      "uuid": "09aa3edb-e956-43f0-9fcb-a3154b47d202",
      "value": "WageMole"
    },
    {
      "description": "APT73 is a ransomware group that has publicly identified 12 victims and launched its data leak site on April 25th. The DLS bears a striking resemblance to that of LockBit, likely to leverage LockBit's reputation and attract potential affiliates. The rationale for this design mimicry is unclear, but it may be intended to signal operational parity with LockBit to inspire trust among low-level criminals. APT73 was formed by an alleged former LockBit affiliate following law enforcement's \"Operation Cronos\" in February 2024.",
      "meta": {
        "refs": [
          "https://quointelligence.eu/2024/06/analyzing-shift-in-ransomware-dynamics/",
          "https://www.redpacketsecurity.com/apt73-ransomware-victim-www-baldinger-ag-ch/",
          "https://www.redpacketsecurity.com/apt73-ransomware-victim-www-scopeset-de/",
          "https://www.redpacketsecurity.com/apt73-ransomware-victim-hpecds-com/",
          "https://www.redpacketsecurity.com/apt73-ransomware-victim-www-trinitesolutions-com/",
          "https://www.redpacketsecurity.com/apt73-ransomware-victim-modplan-co-uk/",
          "https://www.redpacketsecurity.com/apt73-ransomware-victim-mgfsourcing-com/",
          "https://www.redpacketsecurity.com/apt73-ransomware-victim-www-legilog-fr/",
          "https://www.redpacketsecurity.com/apt73-ransomware-victim-sokkakreatif-com/"
        ],
        "synonyms": [
          "Eraleig"
        ]
      },
      "uuid": "84bf7b38-e120-44c9-bfdd-82740593a6c6",
      "value": "APT73"
    }
  ],
  "version": 320