From b8960393a449abf2db4979dea8f41abc49b17878 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Mon, 29 Nov 2021 16:00:40 +0100 Subject: [PATCH] add Milan Rat, Shark tool and Lyceum synonyms --- clusters/rat.json | 15 ++++++++++++++- clusters/tool.json | 12 +++++++++++- 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/clusters/rat.json b/clusters/rat.json index dd0ae78..883fbe8 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -3486,7 +3486,20 @@ }, "uuid": "833ed94d-97c1-4b57-9634-c27bf42eb867", "value": "Guildma" + }, + { + "description": "Milan is a 32-bit RAT written in Visual C++ and .NET. Milan is loaded and persists using tasks. An encoded routine waits for three to four seconds between executing the first task, deleting this task, and setting a second scheduled task for persistence.", + "meta": { + "refs": [ + "https://www.prevailion.com/latest-targets-of-cyber-group-lyceum/" + ], + "synonyms": [ + "James" + ] + }, + "uuid": "a5e5a48a-5ce7-45f0-97d7-517d7f37b4ce", + "value": "Milan" } ], - "version": 36 + "version": 37 } diff --git a/clusters/tool.json b/clusters/tool.json index e46e166..a20b1bb 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8450,7 +8450,17 @@ }, "uuid": "d5b31712-a5b4-4b1c-9a74-4340abc61210", "value": "ESPecter bootkit" + }, + { + "description": "Shark is a 32-bit executable written in C# and .NET. To run Shark, a parameter is passed on the command line that includes the executable’s filename. Shark generates a mutex that uses the executable’s filename as the mutex value. The mutex likely ensures Shark does not execute on a machine where it is already running and that the correct version of Shark is executed.", + "meta": { + "refs": [ + "https://www.prevailion.com/latest-targets-of-cyber-group-lyceum/" + ] + }, + "uuid": "9ea6d29e-00a7-4042-9bc5-31b1adeee6ec", + "value": "Shark" } ], - "version": 148 + "version": 149 }