From a08311c5f18bdf4de6e69e65d7c5b588a8080c71 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Mon, 20 Nov 2023 09:29:06 -0800
Subject: [PATCH] [threat-actors] Add TiltedTemple

---
 clusters/threat-actor.json | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index c881b72..b61d5b2 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -13288,6 +13288,22 @@
       },
       "uuid": "41243ff2-e4f1-4605-9259-ab494c1c8c04",
       "value": "Moshen Dragon"
+    },
+    {
+      "description": "One of their notable tools is a custom backdoor called SockDetour, which operates filelessly and socketlessly on compromised Windows servers. The group's activities have been linked to the exploitation of vulnerabilities in Zoho ManageEngine ADSelfService Plus and ServiceDesk Plus.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://unit42.paloaltonetworks.com/sockdetour/",
+          "https://blog.fox-it.com/2021/11/08/ta505-exploits-solarwinds-serv-u-vulnerability-cve-2021-35211-for-initial-access/",
+          "https://www.microsoft.com/en-us/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/"
+        ],
+        "synonyms": [
+          "DEV-0322"
+        ]
+      },
+      "uuid": "aca6b3d2-1c3b-4674-9de8-975e35723bcf",
+      "value": "TiltedTemple"
     }
   ],
   "version": 294