diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json
index 0f5482af..efe508db 100644
--- a/clusters/microsoft-activity-group.json
+++ b/clusters/microsoft-activity-group.json
@@ -277,7 +277,16 @@
       ],
       "uuid": "00edb40d-2fed-4d36-98b1-c85fc2bb1168",
       "value": "PARINACOTA"
+    },
+    {
+      "value": "GADOLINIUM",
+      "description": "GADOLINIUM is a nation-state activity group that has been compromising targets for nearly a decade with a worldwide focus on the maritime and health industries. As with most threat groups, GADOLINIUM tracks the tools and techniques of security practitioners looking for new techniques they can use or modify to create new exploit methods.\nHistorically, GADOLINIUM used custom-crafted malware families that analysts can identify and defend against. In response, over the last year GADOLINIUM has begun to modify portions of its toolchain to use open-source toolkits to obfuscate their activity and make it more difficult for analysts to track. Because cloud services frequently offer a free trial or one-time payment (PayGo) account offerings, malicious actors have found ways to take advantage of these legitimate business offerings. By establishing free or PayGo accounts, they can use cloud-based technology to create a malicious infrastructure that can be established quickly then taken down before detection or given up at little cost.",
+      "meta": {
+        "refs":[
+          "https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/"
+        ]
+      }
     }
   ],
-  "version": 8
+  "version": 9
 }