diff --git a/clusters/stealer.json b/clusters/stealer.json
index 78545bbd..8fb3311c 100644
--- a/clusters/stealer.json
+++ b/clusters/stealer.json
@@ -196,7 +196,20 @@
       },
       "uuid": "7f95ebda-2c7b-49a4-ad57-bd5766a1f651",
       "value": "Album Stealer"
+    },
+    {
+      "description": "According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.",
+      "meta": {
+        "refs": [
+          "https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88",
+          "https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/",
+          "https://www.malware-traffic-analysis.net/2023/01/03/index.html",
+          "https://threatmon.io/rhadamanthys-stealer-analysis-threatmon/"
+        ]
+      },
+      "uuid": "9eb2a417-2bb6-496c-816b-bccb3f3074f6",
+      "value": "Rhadamanthys"
     }
   ],
-  "version": 11
+  "version": 12
 }
diff --git a/clusters/tds.json b/clusters/tds.json
index 5b7658f0..7475e558 100644
--- a/clusters/tds.json
+++ b/clusters/tds.json
@@ -132,7 +132,20 @@
       },
       "uuid": "ec0048f2-a7b2-4a71-83de-6e8fe4fef252",
       "value": "Orchid TDS"
+    },
+    {
+      "description": "Proofpoint has tracked the 404 TDS since at least September 2022. Proofpoint is not aware if this is a service sold on underground forums, but it is likely a shared or sold tool due to its involvement in a variety of phishing and malware campaigns.",
+      "meta": {
+        "refs": [
+          "https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me"
+        ],
+        "type": [
+          "Underground"
+        ]
+      },
+      "uuid": "7b956ff0-9021-499c-82a4-24b958cb32d9",
+      "value": "404 TDS"
     }
   ],
-  "version": 4
+  "version": 5
 }
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 0da6af50..d9d8c962 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -10564,7 +10564,55 @@
       ],
       "uuid": "eb0b100c-8a4e-4859-b6f8-eebd66c3d20c",
       "value": "Prophet Spider"
+    },
+    {
+      "description": "According to Proofpoint, TA866 is a newly identified threat actor that distributes malware via email utilizing both commodity and custom tools. While most of the activity observed occurred since October 2022, Proofpoint researchers identified multiple activity clusters since 2019 that overlap with TA866 activity. Most of the activity recently observed by Proofpoint suggests recent campaigns are financially motivated, however assessment of historic related activities suggests a possible, additional espionage objective.",
+      "meta": {
+        "motive": "mainly financially motivated, additional espionage objective.",
+        "references": [
+          "https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "f3b7e302-152b-4c4e-85c2-82733b78d13f",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "49ca568f-b6e4-49ff-963e-796f8207d185",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "9eb2a417-2bb6-496c-816b-bccb3f3074f6",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "5c7fa5e1-352a-41c3-8e55-744e5fa88793",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "7b956ff0-9021-499c-82a4-24b958cb32d9",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "uses"
+        }
+      ],
+      "uuid": "a3c22f46-5135-4b39-a33f-92906ac12c31",
+      "value": "TA866"
     }
   ],
-  "version": 261
+  "version": 262
 }
diff --git a/clusters/tool.json b/clusters/tool.json
index 38bddaf2..8e8d39ed 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -8701,7 +8701,60 @@
       },
       "uuid": "55d5853c-393e-449b-ab2b-871e3fe45288",
       "value": "TgToxic"
+    },
+    {
+      "description": "According to Proofpoint, WasabiSeed is a simple VBS downloader which repeatedly uses Windows Installer to connect to the C2 server looking for MSI packages to download and run. Proofpoint showed that it downloads and executes first a second MSI file containing Screenshotter.",
+      "meta": {
+        "refs": [
+          "https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "54c03b3c-6f97-46ea-a93f-f07bfd5cdd36,",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        }
+      ],
+      "uuid": "f3b7e302-152b-4c4e-85c2-82733b78d13f",
+      "value": "WasabiSeed"
+    },
+    {
+      "description": "According to Proofpoint, this is a utility with a single function of taking a JPG screenshot of the user's desktop and submitting it to a remote C2 via a POST to a hardcoded IP address. This is helpful to the threat actor during the reconnaissance and victim profiling stage.",
+      "meta": {
+        "refs": [
+          "https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me"
+        ]
+      },
+      "uuid": "49ca568f-b6e4-49ff-963e-796f8207d185",
+      "value": "Screenshotter"
+    },
+    {
+      "description": "According to Proofpoint, this is a Lua-based malware likely used by a nation-state sponsored attacker used to target European government personnel involved in managing the logistics of refugees fleeing Ukraine.",
+      "meta": {
+        "refs": [
+          "https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails",
+          "https://blogs.blackberry.com/en/2022/03/threat-thursday-sunseed-malware"
+        ]
+      },
+      "uuid": "54c03b3c-6f97-46ea-a93f-f07bfd5cdd36",
+      "value": "SunSeed"
+    },
+    {
+      "description": "According to Proofpoint, the A(uto)H(ot)K(key) Bot is a collection of separate AutoHotKey scripts. The bot's main component is an infinite loop that polls and downloads additional AHK scripts. The bot can load a stealer like Rhadamanthys and can check if the machine is part of an Active Directory domain.",
+      "meta": {
+        "refs": [
+          "https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me",
+          "https://research.checkpoint.com/2019/finteam-trojanized-teamviewer-against-government-targets/",
+          "https://www.trendmicro.com/en_us/research/19/d/potential-targeted-attack-uses-autohotkey-and-malicious-script-embedded-in-excel-file-to-avoid-detection.html",
+          "https://www.trendmicro.com/en_us/research/20/l/stealth-credential-stealer-targets-us-canadian-bank-customers.html"
+        ]
+      },
+      "uuid": "5c7fa5e1-352a-41c3-8e55-744e5fa88793",
+      "value": "AHK Bot"
     }
   ],
-  "version": 160
+  "version": 161
 }