From be3c3952b4d92852105d5dc7768954ec30655ea9 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Sun, 28 Feb 2016 09:47:19 +0100
Subject: [PATCH] More CN groups

---
 elements/apt-groups.json | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/elements/apt-groups.json b/elements/apt-groups.json
index e0b3ef1a..835b6f01 100644
--- a/elements/apt-groups.json
+++ b/elements/apt-groups.json
@@ -3,7 +3,7 @@
   "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
   "authors": ["Alexandre Dulaunoy", "Florian Roth", "Various"],
   "type": "APT Groups",
-  "groups"  : ["Comment Crew","Putter Panda","Sofacy","APT 29","Turla Group","Energetic Bear","Sandworm","Anunak","TeamSpy Crew","BuhTrap","Putter Panda","UPS","IXESHE","APT 16","Aurora Panda"],
+  "groups"  : ["Comment Crew","Putter Panda","Sofacy","APT 29","Turla Group","Energetic Bear","Sandworm","Anunak","TeamSpy Crew","BuhTrap","Putter Panda","UPS","IXESHE","APT 16","Aurora Panda","Wekby","Axiom","Shell Crew","Naikon"],
   "details" : [
                         {
                         "group": "Comment Crew",
@@ -42,6 +42,30 @@
                         "synonyms": ["APT 17", "Deputy Dog", "Group 8"]
                         },
                         {
+                        "group": "Wekby",
+                        "refs": ["https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828"],
+                        "country": "CN",
+                        "synonyms": ["Dynamite Panda", "TG-0416", "APT 18" ]
+                        },
+                        {
+                        "group": "Axiom",
+                        "refs": ["http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/"],
+                        "country": "CN",
+                        "synonyms": ["Winnti Group", "Tailgater Team", "Group 72"]
+                        },
+                        {
+                        "group": "Shell Crew",
+                        "refs": ["http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf"],
+                        "country": "CN",
+                        "synonyms": ["Deep Panda", "WebMasters", "APT 19", "KungFu Kittens", "Black Vine", "Group 13", "PinkPanther", "Sh3llCr3w"]
+                        },
+                        {
+                        "group": "Naikon",
+                        "refs": ["https://securelist.com/analysis/publications/69953/the-naikon-apt/"],
+                        "country": "CN",
+                        "synonyms": ["PLA Unit 78020", "APT 30"]
+                        },
+                        {
                         "group": "Sofacy",
                         "description": "The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.",
                         "refs": ["https://en.wikipedia.org/wiki/Sofacy_Group"],