From 9c0f18e9b9475ae76bd3fa3690f563169c2272f2 Mon Sep 17 00:00:00 2001
From: Mathieu Beligon <mathieu@feedly.com>
Date: Wed, 29 Nov 2023 11:28:37 -0800
Subject: [PATCH] [threat-actors] Add MalKamak

---
 clusters/threat-actor.json | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 7a52ac8..0fb8af9 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -13526,6 +13526,17 @@
       },
       "uuid": "e06e1bcd-7da2-4732-934a-9fa1efa427ad",
       "value": "Blacktail"
+    },
+    {
+      "description": "MalKamak is an Iranian threat actor that has been operating since at least 2018. They have been involved in highly targeted cyber espionage campaigns against global aerospace and telecommunications companies. MalKamak utilizes a sophisticated remote access Trojan called ShellClient, which evades antivirus tools and uses cloud services like Dropbox for command and control.",
+      "meta": {
+        "country": "IR",
+        "refs": [
+          "https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms"
+        ]
+      },
+      "uuid": "4915bfa3-5f0a-48ec-8ed5-bcd878cba504",
+      "value": "MalKamak"
     }
   ],
   "version": 295