diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 585d6c2..09c327c 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -14094,6 +14094,25 @@
       },
       "uuid": "6a77a337-bfa0-416c-8c06-1d489d0d6838",
       "value": "Caliente Bandits"
+    },
+    {
+      "description": "Cotton Sandstorm is an Iranian threat actor involved in hack-and-leak operations. They have targeted various organizations, including the French satirical magazine Charlie Hebdo, where they obtained and leaked personal information of over 200,000 customers. The group has been linked to the Iranian government and has been sanctioned by the US Treasury",
+      "meta": {
+        "country": "IR",
+        "refs": [
+          "https://blog.sekoia.io/iran-cyber-threat-overview/",
+          "https://blogs.microsoft.com/on-the-issues/2023/02/03/dtac-charlie-hebdo-hack-iran-neptunium/",
+          "https://www.ic3.gov/Media/News/2022/220126.pdf",
+          "https://www.microsoft.com/en-us/security/business/security-insider/threat-briefs/iran-response-for-charlie-hebdo-attacks/"
+        ],
+        "synonyms": [
+          "Emennet Pasargad",
+          "Holy Souls",
+          "NEPTUNIUM"
+        ]
+      },
+      "uuid": "bbb389f2-344f-4ca8-a9c9-902061f88deb",
+      "value": "Cotton Sandstorm"
     }
   ],
   "version": 297