From cd76f19f52e94a61f0d500fa3cdbf89a758e1c19 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Wed, 15 Aug 2018 20:25:57 +0200
Subject: [PATCH 1/2] chg: [threat-actor] APT-C-35 actor added

ref: https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/
---
 clusters/threat-actor.json | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 251b002..045640b 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -5365,7 +5365,20 @@
       },
       "uuid": "71a3b962-9a36-11e8-88f8-b31d20c6fa2a",
       "value": "RedAlpha"
+    },
+    {
+      "value": "APT-C-35",
+      "uuid": "b9dc4e81-909f-4324-8b25-a0f359cd88e0",
+      "description": "In March 2017, the 360 Chasing Team found a sample of targeted attacks that confirmed the previously unknown sample of APT's attack actions, which the organization can now trace back at least in April 2016. The chasing team named the attack organization APT-C-35. In June 2017, the 360 Threat Intelligence Center discovered the organization’s new attack activity, confirmed and exposed the gang’s targeted attacks against Pakistan, and analyzed in detail. The unique EHDevel malicious code framework used by the organization",
+      "meta": {
+        "refs": [
+          "https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/"
+        ],
+        "synonyms": [
+          "DoNot Team"
+        ]
+      }
     }
   ],
-  "version": 52
+  "version": 53
 }

From f8c56406138dbc455da054e9d0ac98f8579463c7 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Tue, 21 Aug 2018 10:48:47 +0200
Subject: [PATCH 2/2] chg: [tool] biscuit biscvt tool BISKVIT

ref: https://www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html
---
 clusters/tool.json | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index 6cc4dae..d800258 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -5706,7 +5706,17 @@
       },
       "uuid": "f7f53bb8-37ed-4bbe-9809-ca1594431536",
       "value": "KEYMARBLE"
+    },
+    {
+      "value": "BISKVIT",
+      "description": "The BISKVIT Trojan is a multi-component malware written in C#. We dubbed this malware BISKVIT based on the namespaces used in the code, which contain the word “biscuit”.  Unfortunately, there is already an existing unrelated malware called BISCUIT, so BISKVIT is used instead, which is the Russian translation of biscuit.",
+      "meta": {
+        "refs": [
+          "https://www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html"
+        ]
+      },
+      "uuid": "69ed8a69-8b33-4195-9b21-a1f4cd76acde"
     }
   ],
-  "version": 84
+  "version": 85
 }