From c38f62ae12eb18a77390727df754aab3894a53ed Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Fri, 30 Dec 2016 12:47:47 +0100
Subject: [PATCH] Packrat added

---
 clusters/threat-actor.json | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 08f0f9f4..7560b054 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -1212,6 +1212,13 @@
       "meta": {
          "refs": ["https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"]
        }
+    },
+    {
+      "value": "Packrat",
+      "description": "A threat group that has been active for at least seven years has used malware, phishing and disinformation tactics to target activists, journalists, politicians and public figures in various Latin American countries.  The threat actor, dubbed Packrat based on its preference for remote access Trojans (RATs) and because it has used the same infrastructure for several years, has been analyzed by Citizen Lab researchers John Scott-Railton, Morgan Marquis-Boire, and Claudio Guarnieri, and Cyphort researcher Marion Marschalek, best known for her extensive analysis of state-sponsored threats.",
+      "meta": {
+          "refs": ["https://citizenlab.org/2015/12/packrat-report/"]
+        }
     }
   ],
   "name": "Threat actor",
@@ -1226,5 +1233,5 @@
   ],
   "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
   "uuid": "7cdff317-a673-4474-84ec-4f1754947823",
-  "version": 6
+  "version": 7
 }