From ba7137c5a3258e6da14382557f09a75a52f18fe6 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Thu, 1 Feb 2024 11:02:03 -0800
Subject: [PATCH] [threat-actors] Add Lazarus Group aliases

---
 clusters/threat-actor.json | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 9900145..ceb3fc8 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -3210,7 +3210,9 @@
           "https://blogs.jpcert.or.jp/en/2021/01/Lazarus_tools.html",
           "https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html",
           "https://attack.mitre.org/groups/G0082",
-          "https://attack.mitre.org/groups/G0032"
+          "https://attack.mitre.org/groups/G0032",
+          "https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/",
+          "https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds"
         ],
         "synonyms": [
           "Operation DarkSeoul",
@@ -3241,7 +3243,14 @@
           "ATK3",
           "G0032",
           "ATK117",
-          "G0082"
+          "G0082",
+          "Citrine Sleet",
+          "DEV-0139",
+          "DEV-1222",
+          "Diamond Sleet",
+          "ZINC",
+          "Sapphire Sleet",
+          "COPERNICIUM"
         ]
       },
       "related": [