From 6222443b240b7052afd2b89fc997db3f0a831cf6 Mon Sep 17 00:00:00 2001
From: Delta-Sierra <deborah.servili@gmail.com>
Date: Wed, 7 Feb 2024 10:51:47 +0100
Subject: [PATCH 1/2] add COATHANGER RAT

---
 clusters/rat.json | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/clusters/rat.json b/clusters/rat.json
index 6ffa2d6..922e63f 100644
--- a/clusters/rat.json
+++ b/clusters/rat.json
@@ -3634,7 +3634,18 @@
       },
       "uuid": "b30cb6f4-1e0a-4a97-8d88-ca38f83b4422",
       "value": "STRRAT"
+    },
+    {
+      "description": "Chinese FortiGate RAT. The COATHANGER malware is a remote access trojan (RAT) designed specifically for Fortigate appliances. It is used as second-stage malware, and does not exploit a new vulnerability. Intelligence services MIVD & AIVD refer to the malware as COATHANGER based on a string present in the code./nThe COATHANGER malware is stealthy and persistent. It hides itself by hooking system calls that could reveal its presence. It survives reboots and firmware upgrades./nMIVD & AIVD assess with high confidence that the malicious activity was conducted by a state-sponsored actor from the People’s Republic of China. This is part of a wider trend of Chinese political espionage against the Netherlands and its allies./nMIVD & AIVD assess that use of COATHANGER may be relatively targeted. The Chinese threat actor(s) scan for vulnerable edge devices at scale and gain access opportunistically, and likely introduce COATHANGER as a communication channel for select victims.",
+      "meta": {
+        "refs": [
+          "https://github.com/JSCU-NL/COATHANGER",
+          "https://www.ncsc.nl/documenten/publicaties/2024/februari/6/mivd-aivd-advisory-coathanger-tlp-clear"
+        ]
+      },
+      "uuid": "c04e9738-de62-43e4-b645-2e308c1f77f7",
+      "value": "COATHANGER"
     }
   ],
-  "version": 44
+  "version": 45
 }

From 4686aae3d5283b0fd55d7bd06718ec12f518fcef Mon Sep 17 00:00:00 2001
From: Delta-Sierra <deborah.servili@gmail.com>
Date: Wed, 7 Feb 2024 10:52:40 +0100
Subject: [PATCH 2/2] add COATHANGER ref

---
 clusters/rat.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/clusters/rat.json b/clusters/rat.json
index 922e63f..6dbcf8d 100644
--- a/clusters/rat.json
+++ b/clusters/rat.json
@@ -3640,7 +3640,8 @@
       "meta": {
         "refs": [
           "https://github.com/JSCU-NL/COATHANGER",
-          "https://www.ncsc.nl/documenten/publicaties/2024/februari/6/mivd-aivd-advisory-coathanger-tlp-clear"
+          "https://www.ncsc.nl/documenten/publicaties/2024/februari/6/mivd-aivd-advisory-coathanger-tlp-clear",
+          "https://twitter.com/sehof/status/1754883344574103670"
         ]
       },
       "uuid": "c04e9738-de62-43e4-b645-2e308c1f77f7",