From 613e9feb128f2ebe25cfa80777dc37812664daad Mon Sep 17 00:00:00 2001
From: jstnk9 <joselsm94@gmail.com>
Date: Fri, 13 Oct 2023 10:53:36 +0200
Subject: [PATCH 1/3] added suspected victims to Gelsemium

---
 clusters/threat-actor.json | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index eb167f6..1700cda 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -9606,6 +9606,26 @@
           "Universities",
           "Religious organization"
         ],
+        "cfr-suspected-victims": [
+          "North Korea",
+          "South Korea",
+          "Japan",
+          "China",
+          "Mongolia",
+          "Egypt",
+          "Saudi Arabia",
+          "Yemen",
+          "Oman",
+          "Iran",
+          "Iraq",
+          "Kuwait",
+          "Israel",
+          "Jordan",
+          "Gaza",
+          "Syria",
+          "Turkey",
+          "Lebanon"
+        ],
         "refs": [
           "https://www.welivesecurity.com/2021/06/09/gelsemium-when-threat-actors-go-gardening/",
           "https://www.venustech.com.cn/uploads/2018/08/231401512426.pdf",

From faef21e15d18a65a4337631bdfdef2ca3d1ee38b Mon Sep 17 00:00:00 2001
From: jstnk9 <joselsm94@gmail.com>
Date: Fri, 13 Oct 2023 12:02:20 +0200
Subject: [PATCH 2/3] Added information related to Wizard Spider

---
 clusters/threat-actor.json | 32 +++++++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 1700cda..0efc886 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -7225,6 +7225,34 @@
       "description": "Wizard Spider is reportedly associated with Grim Spider and Lunar Spider.\nThe WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware. This group represents a growing criminal enterprise of which GRIM SPIDER appears to be a subset. The LUNAR SPIDER threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID), which was first observed in April 2017. The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud, through the use of webinjects and a malware distribution function.\nGRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.",
       "meta": {
         "country": "RU",
+        "cfr-suspected-victims": [
+          "Australia",
+          "Bahamas",
+          "Canada",
+          "Costa Rica",
+          "France",
+          "Germany",
+          "India",
+          "Ireland",
+          "Italy",
+          "Japan",
+          "Mexico",
+          "New Zealand",
+          "Spain",
+          "Switzerland",
+          "Taiwan",
+          "United Kingdom",
+          "Ukraine",
+          "United States"
+        ],
+        "cfr-target-category": [
+          "Defense",
+          "Financial",
+          "Government",
+          "Healthcare",
+          "Telecommunications"
+        ],
+        "cfr-suspected-state-sponsor": "Russian Federation",
         "refs": [
           "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/",
           "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
@@ -7237,7 +7265,9 @@
           "https://www.secureworks.com/research/dyre-banking-trojan",
           "https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic",
           "https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users",
-          "http://www.secureworks.com/research/threat-profiles/gold-blackburn"
+          "http://www.secureworks.com/research/threat-profiles/gold-blackburn",
+          "https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf",
+          "https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf"
         ],
         "synonyms": [
           "TEMP.MixMaster",

From 059b20e705734777fec23a8784fdc4aa9cd2b800 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Fri, 13 Oct 2023 16:31:48 +0200
Subject: [PATCH 3/3] chg: [threat-actor] clean-up

---
 clusters/threat-actor.json | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 0efc886..fc47ca3 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -7224,7 +7224,7 @@
     {
       "description": "Wizard Spider is reportedly associated with Grim Spider and Lunar Spider.\nThe WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware. This group represents a growing criminal enterprise of which GRIM SPIDER appears to be a subset. The LUNAR SPIDER threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID), which was first observed in April 2017. The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud, through the use of webinjects and a malware distribution function.\nGRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.",
       "meta": {
-        "country": "RU",
+        "cfr-suspected-state-sponsor": "Russian Federation",
         "cfr-suspected-victims": [
           "Australia",
           "Bahamas",
@@ -7252,7 +7252,7 @@
           "Healthcare",
           "Telecommunications"
         ],
-        "cfr-suspected-state-sponsor": "Russian Federation",
+        "country": "RU",
         "refs": [
           "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/",
           "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
@@ -9630,12 +9630,6 @@
     {
       "description": "The Gelsemium group has been active since at least 2014 and was described in the past by a few security companies. Gelsemium’s name comes from one possible translation ESET found while reading a report from VenusTech who dubbed the group 狼毒草 for the first time. It’s the name of a genus of flowering plants belonging to the family Gelsemiaceae, Gelsemium elegans is the species that contains toxic compounds like Gelsemine, Gelsenicine and Gelsevirine, which ESET choses as names for the three components of this malware family.",
       "meta": {
-        "cfr-target-category": [
-          "Government",
-          "Electronics Manufacturers",
-          "Universities",
-          "Religious organization"
-        ],
         "cfr-suspected-victims": [
           "North Korea",
           "South Korea",
@@ -9656,6 +9650,12 @@
           "Turkey",
           "Lebanon"
         ],
+        "cfr-target-category": [
+          "Government",
+          "Electronics Manufacturers",
+          "Universities",
+          "Religious organization"
+        ],
         "refs": [
           "https://www.welivesecurity.com/2021/06/09/gelsemium-when-threat-actors-go-gardening/",
           "https://www.venustech.com.cn/uploads/2018/08/231401512426.pdf",