diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index c881b72..b61d5b2 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -13288,6 +13288,22 @@
       },
       "uuid": "41243ff2-e4f1-4605-9259-ab494c1c8c04",
       "value": "Moshen Dragon"
+    },
+    {
+      "description": "One of their notable tools is a custom backdoor called SockDetour, which operates filelessly and socketlessly on compromised Windows servers. The group's activities have been linked to the exploitation of vulnerabilities in Zoho ManageEngine ADSelfService Plus and ServiceDesk Plus.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://unit42.paloaltonetworks.com/sockdetour/",
+          "https://blog.fox-it.com/2021/11/08/ta505-exploits-solarwinds-serv-u-vulnerability-cve-2021-35211-for-initial-access/",
+          "https://www.microsoft.com/en-us/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/"
+        ],
+        "synonyms": [
+          "DEV-0322"
+        ]
+      },
+      "uuid": "aca6b3d2-1c3b-4674-9de8-975e35723bcf",
+      "value": "TiltedTemple"
     }
   ],
   "version": 294