diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 0eebf82..f8c7cb6 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -3828,8 +3828,8 @@
         "cfr-type-of-incident": "Espionage",
         "country": "IR",
         "refs": [
-          "http://www.clearskysec.com/oilrig/",
-          "http://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability",
+          "https://www.clearskysec.com/oilrig/",
+          "https://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability",
           "https://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/",
           "https://unit42.paloaltonetworks.com/unit42-introducing-the-adversary-playbook-first-up-oilrig/",
           "https://unit42.paloaltonetworks.com/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/",
@@ -3856,6 +3856,7 @@
           "https://www.clearskysec.com/oilrig/",
           "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/",
           "https://attack.mitre.org/groups/G0049/",
+          "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/",
           "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy"
         ],
         "synonyms": [
@@ -8311,5 +8312,5 @@
       "value": "GALLIUM"
     }
   ],
-  "version": 169
+  "version": 170
 }