From 8ebdd40e4261787004bc23351f95e2404493101e Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Thu, 1 Feb 2024 11:01:58 -0800
Subject: [PATCH] [threat-actors] Add Velvet Tempest

---
 clusters/threat-actor.json | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 1cabb7a..20ac754 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -14294,6 +14294,20 @@
       },
       "uuid": "dc1d0202-8976-4d15-810d-4af0feff6af9",
       "value": "Storm-0867"
+    },
+    {
+      "description": "Velvet Tempest is a threat actor associated with the BlackCat ransomware group. They have been observed deploying multiple ransomware payloads, including BlackCat, and have targeted various industries such as energy, fashion, tobacco, IT, and manufacturing. Velvet Tempest relies on access brokers to gain network access and utilizes tools like Cobalt Strike Beacons and PsExec for lateral movement and payload staging. They exfiltrate stolen data using a tool called StealBit and frequently disable unprotected antivirus products.",
+      "meta": {
+        "refs": [
+          "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/",
+          "http://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/"
+        ],
+        "synonyms": [
+          "DEV-0504"
+        ]
+      },
+      "uuid": "209b1452-7062-46f8-9037-3be5f7eda54f",
+      "value": "Velvet Tempest"
     }
   ],
   "version": 298