From b8a504c174b2927986aafda1a3815845324f9bd4 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Mon, 22 Jan 2024 10:01:13 -0800
Subject: [PATCH] [threat-actors] Add Cotton Sandstorm

---
 clusters/threat-actor.json | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 585d6c2..09c327c 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -14094,6 +14094,25 @@
       },
       "uuid": "6a77a337-bfa0-416c-8c06-1d489d0d6838",
       "value": "Caliente Bandits"
+    },
+    {
+      "description": "Cotton Sandstorm is an Iranian threat actor involved in hack-and-leak operations. They have targeted various organizations, including the French satirical magazine Charlie Hebdo, where they obtained and leaked personal information of over 200,000 customers. The group has been linked to the Iranian government and has been sanctioned by the US Treasury",
+      "meta": {
+        "country": "IR",
+        "refs": [
+          "https://blog.sekoia.io/iran-cyber-threat-overview/",
+          "https://blogs.microsoft.com/on-the-issues/2023/02/03/dtac-charlie-hebdo-hack-iran-neptunium/",
+          "https://www.ic3.gov/Media/News/2022/220126.pdf",
+          "https://www.microsoft.com/en-us/security/business/security-insider/threat-briefs/iran-response-for-charlie-hebdo-attacks/"
+        ],
+        "synonyms": [
+          "Emennet Pasargad",
+          "Holy Souls",
+          "NEPTUNIUM"
+        ]
+      },
+      "uuid": "bbb389f2-344f-4ca8-a9c9-902061f88deb",
+      "value": "Cotton Sandstorm"
     }
   ],
   "version": 297