diff --git a/clusters/botnet.json b/clusters/botnet.json
index 243fa61..8033e87 100644
--- a/clusters/botnet.json
+++ b/clusters/botnet.json
@@ -579,7 +579,8 @@
       "meta": {
         "date": "August 2016",
         "refs": [
-          "https://en.wikipedia.org/wiki/Mirai_(malware)"
+          "https://en.wikipedia.org/wiki/Mirai_(malware)",
+          "https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/"
         ]
       },
       "related": [
@@ -800,7 +801,18 @@
       },
       "uuid": "07815089-e2c6-4084-9a62-3ece7210f33f",
       "value": "Bamital"
+    },
+    {
+      "value": "Gafgyt",
+      "description": "Linux.Gafgyt is a Trojan horse that opens a back door on the compromised computer and steals information.  The new Gafgyt version targets a newly disclosed vulnerability affecting older, unsupported versions of SonicWall’s Global Management System (GMS).",
+      "meta": {
+        "refs": [
+          "https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/",
+          "https://www.symantec.com/security-center/writeup/2014-100222-5658-99"
+        ]
+      },
+      "uuid": "40795af6-b721-11e8-9fcb-570c0b384135"
     }
   ],
-  "version": 9
+  "version": 10
 }
diff --git a/clusters/branded_vulnerability.json b/clusters/branded_vulnerability.json
index 1f036e1..f3729e1 100644
--- a/clusters/branded_vulnerability.json
+++ b/clusters/branded_vulnerability.json
@@ -147,7 +147,17 @@
       },
       "uuid": "e85e1270-eec5-4331-8004-a063125a54b4",
       "value": "ImageTragick"
+    },
+    {
+      "meta": {
+        "logo": [
+          "http://blacknurse.dk/____impro/1/onewebmedia/blacknurse2.png?etag=W%2F%2214e7-5761287d%22&sourceContentType=image%2Fpng&ignoreAspectRatio&resize=200%2B200&extract=0%2B40%2B200%2B114"
+        ]
+      },
+      "uuid": "3c2325e4-b740-11e8-9504-b32b4d974add",
+      "description": "Blacknurse is a low bandwidth DDoS attack involving ICMP Type 3 Code 3 packets causing high CPU loads first discovered in November 2016. The earliest samples we have seen supporting this DDoS method are from September 2017.",
+      "value": "Blacknurse"
     }
   ],
-  "version": 1
+  "version": 2
 }
diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index 9fe0606..764a72e 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -10554,7 +10554,11 @@
         ]
       },
       "uuid": "df025902-b29e-11e8-a2ab-739167419c52"
+    },
+    {
+      "value": "Crypt0saur",
+      "uuid": "32406292-b738-11e8-ab97-1f674b130624"
     }
   ],
-  "version": 32
+  "version": 33
 }
diff --git a/clusters/tool.json b/clusters/tool.json
index 151688b..950ef71 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -5731,7 +5731,20 @@
         ]
       },
       "uuid": "69ed8a69-8b33-4195-9b21-a1f4cd76acde"
+    },
+    {
+      "value": "Sirefef",
+      "description": "This family of malware uses stealth to hide its presence on your PC. Trojans in this family can do different things, including: -Downloading and running other files -Contacting remote hosts -Disabling security features\nMembers of the family can also change search results, which can generate money for the hackers who use Sirefef.",
+      "meta": {
+        "refs": [
+          "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32%2Fsirefef"
+        ],
+        "synonyms": [
+          "Win32/Sirefef"
+        ]
+      },
+      "uuid": "641464a6-b690-11e8-976e-bffc9a17c6a4"
     }
   ],
-  "version": 86
+  "version": 87
 }