diff --git a/clusters/rat.json b/clusters/rat.json
index 5ae1e48..30450da 100644
--- a/clusters/rat.json
+++ b/clusters/rat.json
@@ -2547,6 +2547,15 @@
           "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/"
         ]
       },
+      "related": [
+        {
+          "dest-uuid": "e1ca79eb-5629-4267-bb37-3992c7126ef4",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        }
+      ],
       "uuid": "cb23f563-a8b9-4427-9884-594e8d3cc836",
       "value": "Cardinal"
     },
@@ -3321,5 +3330,5 @@
       "value": "H-worm"
     }
   ],
-  "version": 25
+  "version": 26
 }
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index e6aae6c..b40a7fe 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -6645,7 +6645,17 @@
       },
       "uuid": "ee7f535d-cc3e-40f3-99f3-c97963cfa250",
       "value": "APT-C-27"
+    },
+    {
+      "description": "Newly discovered supply chain attack that leveraged ASUS Live Update software.\nThe goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters’ MAC addresses. To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list.",
+      "meta": {
+        "refs": [
+          "https://securelist.com/operation-shadowhammer/89992/"
+        ]
+      },
+      "uuid": "401c30c7-4317-458a-9b0a-379a44d63457",
+      "value": "Operation ShadowHammer"
     }
   ],
-  "version": 104
+  "version": 105
 }
diff --git a/clusters/tool.json b/clusters/tool.json
index 53bd992..d3b494c 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -4984,7 +4984,7 @@
       },
       "related": [
         {
-          "dest-uuid": "3d3da4c0-004c-400c-9da6-f83fd35d907e",
+          "dest-uuid": "e1ca79eb-5629-4267-bb37-3992c7126ef4",
           "tags": [
             "estimative-language:likelihood-probability=\"likely\""
           ],
@@ -7584,7 +7584,43 @@
       ],
       "uuid": "bb6492fa-36b5-4f4a-a787-e718e7f9997f",
       "value": "SLUB Backdoor"
+    },
+    {
+      "description": "In 2017, Unit 42 reported on and analyzed a low-volume malware family called Cardinal RAT. This malware family had remained undetected for over two years and was delivered via a unique downloader named Carp Downloader.",
+      "meta": {
+        "refs": [
+          "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/"
+        ]
+      },
+      "uuid": "8fb35101-dad6-4628-84ab-905afacb986b",
+      "value": "Carp Downloader"
+    },
+    {
+      "description": "EVILNUM is a JavaScript-based malware family that is used in attacks against similar organizations.",
+      "meta": {
+        "refs": [
+          "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "cb23f563-a8b9-4427-9884-594e8d3cc836",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        },
+        {
+          "dest-uuid": "1d9fbf33-faea-40c1-b543-c7b39561f0ff",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        }
+      ],
+      "uuid": "e1ca79eb-5629-4267-bb37-3992c7126ef4",
+      "value": "EVILNUM"
     }
   ],
-  "version": 114
+  "version": 115
 }