From c35fad32917c2e7072096a68fea1c7a2c1430c27 Mon Sep 17 00:00:00 2001
From: Mathieu Beligon <mathieu@feedly.com>
Date: Mon, 28 Mar 2022 12:11:34 +0200
Subject: [PATCH] Add threat actor group Scarab

---
 clusters/threat-actor.json | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 4815b455..64241ba6 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -9051,6 +9051,24 @@
       },
       "uuid": "d9e5be22-1a04-4956-af6c-37af02330980",
       "value": "LAPSUS"
+    },
+    {
+      "description": "Scarab APT was first spotted in 2015, but is believed to have been active since at least 2012, conducting surgical attacks against a small number of individuals across the world, including Russia and the United States. The backdoor deployed by Scarab in their campaigns is most commonly known as Scieron.",
+      "meta": {
+        "cfr-suspected-victims": [
+          "Russia",
+          "Ukraine",
+          "United States"
+        ],
+        "cfr-type-of-incident": "Espionage",
+        "country": "CN",
+        "refs": [
+          "https://web.archive.org/web/20150124025612/http://www.symantec.com:80/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012",
+          "https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine"
+        ]
+      },
+      "uuid": "ef59014b-79bb-408f-97f1-3c585a240ca7",
+      "value": "Scarab"
     }
   ],
   "version": 215