From a6564bf61c1af08b19d27ba588a9cb52be758c12 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Mon, 8 Jan 2024 05:23:28 -0800
Subject: [PATCH] [threat-actors] Add PhantomControl

---
 clusters/threat-actor.json | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 4692a32..c813e26 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -13904,6 +13904,18 @@
       },
       "uuid": "e6d16c22-0780-483c-9920-c1d9f27b10c8",
       "value": "GREF"
+    },
+    {
+      "description": "PhantomControl is a sophisticated threat actor that emerged in November 2023. They utilize phishing emails as their initial infection vector and employ a ScreenConnect client to establish a connection for their malicious activities. Their arsenal includes a VBS script that hides its true intentions and reveals a complex mechanism involving PowerShell scripts and image-based data retrieval. PhantomControl has been associated with the Blind Eagle threat actors, showcasing their versatility and reach.",
+      "meta": {
+        "refs": [
+          "https://www.esentire.com/blog/phantomcontrol-returns-with-ande-loader-and-swaetrat",
+          "https://www.esentire.com/blog/operation-phantomcontrol",
+          "https://securityonline.info/esentire-vs-phantom-unveiling-the-cyber-spooks-dance-of-darkness/"
+        ]
+      },
+      "uuid": "a2208d56-8f08-4ca3-a304-8bdc334b5ebf",
+      "value": "PhantomControl"
     }
   ],
   "version": 296