From 1f67eeadf7a431ee9c9722c7cd2d79a0f4479e51 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 17 Apr 2024 10:09:08 -0700 Subject: [PATCH 01/13] [threat-actors] Add CyberNiggers --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index bcc884dc..b5f00a86 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15546,6 +15546,18 @@ }, "uuid": "0b158297-ee47-48ef-9346-0cb0f9cb348a", "value": "UNC5174" + }, + { + "description": "CyberNiggers is a threat group known for breaching various organizations, including the US military, federal contractors, and multinational corporations like General Electric. Led by the prominent member IntelBroker, they specialize in selling access to compromised systems and stealing sensitive data, such as military files and personally identifiable information. The group has targeted a diverse portfolio of organizations, showcasing their strategic approach to gathering varied sets of information. Their activities raise concerns about national security, individual privacy, and the need for robust cybersecurity measures to mitigate the impact of cyber adversaries.", + "meta": { + "refs": [ + "https://socradar.io/acuity-federal-breach-okta-leak-dcrat-exploit/", + "https://socradar.io/u-s-faces-cyber-onslaught-fico-breach-id-cc-military-data-sale/", + "https://socradar.io/dark-web-profile-cyberniggers/" + ] + }, + "uuid": "21ad5aad-0a55-457d-b94d-3b4565e82e0a", + "value": "CyberNiggers" } ], "version": 305 From bb09f64e8bd13b4c57152d0535e67b649c0a9433 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 17 Apr 2024 10:09:08 -0700 Subject: [PATCH 02/13] [threat-actors] Add Opal Sleet aliases --- clusters/threat-actor.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b5f00a86..1f097293 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14833,11 +14833,13 @@ "https://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/", "https://paper.seebug.org/3031/", "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-konni-apt-group-active-iocs-11", - "https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/" + "https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/", + "https://gbhackers.com/vedalia-apt-group-exploits/" ], "synonyms": [ "OSMIUM", - "Konni" + "Konni", + "Vedalia" ] }, "uuid": "5f71a9ea-511d-4fdd-9807-271ef613f488", From 2cf8b058bb810afa64bafd284ffa8a07a19d0d97 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 17 Apr 2024 10:09:08 -0700 Subject: [PATCH 03/13] [threat-actors] Add Bignosa --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1f097293..795b5314 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15560,6 +15560,17 @@ }, "uuid": "21ad5aad-0a55-457d-b94d-3b4565e82e0a", "value": "CyberNiggers" + }, + { + "description": "Bignosa is a threat actor known for launching malware campaigns targeting Australian and US organizations using phishing emails with disguised Agent Tesla attachments protected by Cassandra Protector. They compromised servers by installing Plesk and RoundCube, connected via SSH and RDP, and used advanced obfuscation methods to evade detection. Bignosa collaborated with another cybercriminal named Gods, who provided advice and assistance in their malicious activities. The actor has been linked to multiple phishing attacks and malware distribution campaigns, showcasing a high level of sophistication in their operations.", + "meta": { + "country": "KE", + "refs": [ + "https://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/" + ] + }, + "uuid": "07232925-bd1b-49a9-adca-46536ff6fdd8", + "value": "Bignosa" } ], "version": 305 From 6870ac7c42dc2a65ab1f87f7adc14915bdae6f9e Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 17 Apr 2024 10:09:09 -0700 Subject: [PATCH 04/13] [threat-actors] Add Smishing Triad --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 795b5314..03c51dec 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15571,6 +15571,17 @@ }, "uuid": "07232925-bd1b-49a9-adca-46536ff6fdd8", "value": "Bignosa" + }, + { + "description": "The Smishing Triad is a Chinese-speaking threat group known for targeting postal services and their customers globally through smishing campaigns. They leverage compromised Apple iMessage accounts to send fraudulent messages warning of undeliverable packages, aiming to collect personally identifying information and payment credentials. The group offers smishing kits for sale on platforms like Telegram, enabling other cybercriminals to launch independent attacks. \"Smishing Triad\" has expanded its operations to target UAE citizens, using geo-filtering to focus on victims in the Emirates.", + "meta": { + "country": "CN", + "refs": [ + "https://www.resecurity.com/blog/article/Smishing-Triad-Impersonates-Emirates-Post-Target-UAE-Citizens" + ] + }, + "uuid": "85db04b5-1ec2-4e25-908a-f53576bd175a", + "value": "Smishing Triad" } ], "version": 305 From 94a76ab5a8fb2e95165758f0196f02eb6244b092 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 17 Apr 2024 10:09:09 -0700 Subject: [PATCH 05/13] [threat-actors] Add BlackJack --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 03c51dec..4d5c81ed 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15582,6 +15582,20 @@ }, "uuid": "85db04b5-1ec2-4e25-908a-f53576bd175a", "value": "Smishing Triad" + }, + { + "description": "Blackjack, a threat actor linked to Ukraine's security apparatus, has targeted critical Russian entities such as ISPs, utilities, and military infrastructure. They have claimed responsibility for launching cyberattacks resulting in substantial damage and data exfiltration. The group allegedly used the Fuxnet malware to target sensor gateways connected to internet-connected sensors, impacting infrastructure monitoring systems. Blackjack has also been involved in attacks against companies like Moscollector, causing disruptions and stealing sensitive data.", + "meta": { + "country": "UA", + "refs": [ + "https://www.enigmasoftware.com/fuxneticsmalware-removal/", + "https://www.securityweek.com/destructive-ics-malware-fuxnet-used-by-ukraine-against-russian-infrastructure/", + "https://claroty.com/team82/research/unpacking-the-blackjack-groups-fuxnet-malware", + "https://www.rewterz.com/rewterz-news/rewterz-threat-update-pro-ukraine-hacktivists-breach-russian-isp-as-revenge-for-kyivstar-attack/" + ] + }, + "uuid": "a5aa9b72-2bfb-427c-97fc-6ec04357233b", + "value": "BlackJack" } ], "version": 305 From b4628a815e24c98e34c42a50d7461092af598c94 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 17 Apr 2024 10:09:09 -0700 Subject: [PATCH 06/13] [threat-actors] Add Sandworm aliases --- clusters/threat-actor.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4d5c81ed..8fb89f88 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2828,7 +2828,8 @@ "https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/", "https://www.recordedfuture.com/russia-nexus-uac-0113-emulating-telecommunication-providers-in-ukraine", "https://cert.gov.ua/article/405538", - "https://cip.gov.ua/services/cm/api/attachment/download?id=60068" + "https://cip.gov.ua/services/cm/api/attachment/download?id=60068", + "https://packetstormsecurity.com/news/view/35790/Recent-OT-And-Espionage-Attacks-Linked-To-Russias-Sandworm-Now-Named-APT44.html" ], "synonyms": [ "Quedagh", @@ -2843,7 +2844,8 @@ "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", - "UAC-0082" + "UAC-0082", + "APT44" ], "targeted-sector": [ "Electric", From 9f33bdc13c313d5dbc677cf697db7c6b7fac54b4 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 17 Apr 2024 10:09:09 -0700 Subject: [PATCH 07/13] [threat-actors] Add CoralRaider --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8fb89f88..9dc3366f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15598,6 +15598,17 @@ }, "uuid": "a5aa9b72-2bfb-427c-97fc-6ec04357233b", "value": "BlackJack" + }, + { + "description": "CoralRaider is a financially motivated threat actor of Vietnamese origin, targeting victims in Asian and Southeast Asian countries since at least 2023. They use the RotBot loader family and XClient stealer to steal victim information, with hardcoded Vietnamese words in their payloads. CoralRaider operates from Hanoi, Vietnam, and uses a Telegram bot as a C2 channel for their malicious campaigns. Their activities include system reconnaissance, data exfiltration, and targeting victims in multiple countries in the region.", + "meta": { + "country": "VN", + "refs": [ + "https://blog.talosintelligence.com/coralraider-targets-socialmedia-accounts/" + ] + }, + "uuid": "20927a3f-d011-4e22-8268-0938d6816a13", + "value": "CoralRaider" } ], "version": 305 From 64533dba9151aec36a157cb737f30a3510f41813 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 17 Apr 2024 10:09:09 -0700 Subject: [PATCH 08/13] [threat-actors] Add RUBYCARP --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 9dc3366f..7b3a8ad4 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15609,6 +15609,17 @@ }, "uuid": "20927a3f-d011-4e22-8268-0938d6816a13", "value": "CoralRaider" + }, + { + "description": "RUBYCARP is a financially-motivated threat actor group likely based in Romania, with a history of at least 10 years of activity. They operate a botnet using public exploits and brute force attacks, communicating via public and private IRC networks. RUBYCARP targets vulnerabilities in frameworks like Laravel and WordPress, as well as conducting phishing operations to steal financial assets. They use a variety of tools, including the Perl Shellbot, for post-exploitation activities and have a diverse set of illicit income streams.", + "meta": { + "country": "RO", + "refs": [ + "https://sysdig.com/blog/rubycarp-romanian-botnet-group/" + ] + }, + "uuid": "2742b229-02f4-40d0-9b99-91844a2b030e", + "value": "RUBYCARP" } ], "version": 305 From bf5dd6e38263bf3dd051e754a3e81c54c1c02684 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 17 Apr 2024 10:09:09 -0700 Subject: [PATCH 09/13] [threat-actors] Add Earth Hundun --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7b3a8ad4..5cf4aa74 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15620,6 +15620,17 @@ }, "uuid": "2742b229-02f4-40d0-9b99-91844a2b030e", "value": "RUBYCARP" + }, + { + "description": "Earth Hundun is a cyberespionage threat actor targeting technology and government sectors in the Asia-Pacific region. They are known for using the Waterbear and Deuterbear malware, which have advanced evasion tactics and anti-analysis mechanisms. The group has been active since at least 2009 and continuously refines their malware to bypass antivirus software. Earth Hundun's attacks involve phishing emails, malware droppers, and backdoors to infiltrate organizations and gather intelligence.", + "meta": { + "refs": [ + "https://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html", + "https://blogs.jpcert.or.jp/en/2022/03/jsac2022report1.html" + ] + }, + "uuid": "edd85e27-9d05-4bc7-9b2b-5422e909336a", + "value": "Earth Hundun" } ], "version": 305 From 8d8085530d4a481609729abc1bd20b8a608d0108 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 17 Apr 2024 10:09:09 -0700 Subject: [PATCH 10/13] [threat-actors] Add Volt Typhoon aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5cf4aa74..019ddc07 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12369,7 +12369,8 @@ ], "synonyms": [ "BRONZE SILHOUETTE", - "VANGUARD PANDA" + "VANGUARD PANDA", + "UNC3236" ] }, "uuid": "f02679fa-5e85-4050-8eb5-c2677d93306f", From 640018599ab4cd6ccf28cd09143675251a7dc382 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 17 Apr 2024 10:09:09 -0700 Subject: [PATCH 11/13] [threat-actors] Add Starry Addax --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 019ddc07..b6344b57 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15632,6 +15632,16 @@ }, "uuid": "edd85e27-9d05-4bc7-9b2b-5422e909336a", "value": "Earth Hundun" + }, + { + "description": "Starry Addax is a threat actor targeting human rights activists associated with the Sahrawi Arab Democratic Republic using a novel mobile malware called FlexStarling. They conduct phishing attacks to trick targets into installing malicious Android applications and serve credential-harvesting pages to Windows-based targets. Their infrastructure targets both Windows and Android users, with the campaign starting with spear-phishing emails containing requests to install specific mobile apps or related themes. The campaign is in its early stages, with potential for additional malware variants and infrastructure development.", + "meta": { + "refs": [ + "https://blog.talosintelligence.com/starry-addax/" + ] + }, + "uuid": "579fde0d-0840-4e49-ad62-405ce338f5a6", + "value": "Starry Addax" } ], "version": 305 From 148ff926c04ee2903e62f9ed1a16041d9a4594ae Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 17 Apr 2024 10:09:09 -0700 Subject: [PATCH 12/13] [threat-actors] Add APT41 aliases --- clusters/threat-actor.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b6344b57..29d54af6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8699,7 +8699,8 @@ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", - "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf" + "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf", + "https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html" ], "synonyms": [ "G0096", @@ -8717,7 +8718,8 @@ "Earth Baku", "Amoeba", "HOODOO", - "Brass Typhoon" + "Brass Typhoon", + "Earth Freybug" ] }, "related": [ From eed81e9a724915df95f30d8b59c6722e3fc034a5 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Thu, 18 Apr 2024 12:35:10 +0200 Subject: [PATCH 13/13] [threat-actors] r0ny123 review --- clusters/threat-actor.json | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ec362ef3..07c51544 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8206,7 +8206,9 @@ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt", "https://unit42.paloaltonetworks.com/atoms/mangataurus/", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html", + "https://blogs.jpcert.or.jp/en/2022/03/jsac2022report1.html" ], "synonyms": [ "CIRCUIT PANDA", @@ -8216,7 +8218,8 @@ "G0098", "T-APT-03", "Manga Taurus", - "Red Djinn" + "Red Djinn", + "Earth Hundun" ] }, "uuid": "320c42f7-eab7-4ef9-b09a-74396caa6c3e", @@ -12369,12 +12372,18 @@ "country": "CN", "refs": [ "https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations", - "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/" + "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/", + "https://unit42.paloaltonetworks.com/volt-typhoon-threat-brief/", + "https://www.dragos.com/threat/voltzite/" ], "synonyms": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", - "UNC3236" + "UNC3236", + "Insidious Taurus", + "VOLTZITE", + "Dev-0391", + "Storm-0391" ] }, "uuid": "f02679fa-5e85-4050-8eb5-c2677d93306f", @@ -15626,17 +15635,6 @@ "uuid": "2742b229-02f4-40d0-9b99-91844a2b030e", "value": "RUBYCARP" }, - { - "description": "Earth Hundun is a cyberespionage threat actor targeting technology and government sectors in the Asia-Pacific region. They are known for using the Waterbear and Deuterbear malware, which have advanced evasion tactics and anti-analysis mechanisms. The group has been active since at least 2009 and continuously refines their malware to bypass antivirus software. Earth Hundun's attacks involve phishing emails, malware droppers, and backdoors to infiltrate organizations and gather intelligence.", - "meta": { - "refs": [ - "https://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html", - "https://blogs.jpcert.or.jp/en/2022/03/jsac2022report1.html" - ] - }, - "uuid": "edd85e27-9d05-4bc7-9b2b-5422e909336a", - "value": "Earth Hundun" - }, { "description": "Starry Addax is a threat actor targeting human rights activists associated with the Sahrawi Arab Democratic Republic using a novel mobile malware called FlexStarling. They conduct phishing attacks to trick targets into installing malicious Android applications and serve credential-harvesting pages to Windows-based targets. Their infrastructure targets both Windows and Android users, with the campaign starting with spear-phishing emails containing requests to install specific mobile apps or related themes. The campaign is in its early stages, with potential for additional malware variants and infrastructure development.", "meta": {