From e086bee02e0d897974260b0c27c19de3c6644d9e Mon Sep 17 00:00:00 2001
From: Mathieu Beligon <mathieu@feedly.com>
Date: Tue, 17 Oct 2023 11:21:48 +0200
Subject: [PATCH] [threat-actors] More aliases of iranian apts

---
 clusters/threat-actor.json | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index fc47ca3..0835ead 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -6246,13 +6246,19 @@
           "https://securityaffairs.co/wordpress/56348/intelligence/magic-hound-campaign.html",
           "https://www.cfr.org/cyber-operations/apt-35",
           "https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/",
-          "https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/"
+          "https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/",
+          "https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/",
+          "https://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/",
+          "https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us"
         ],
         "synonyms": [
           "Newscaster Team",
           "Magic Hound",
           "G0059",
-          "Phosphorus"
+          "Phosphorus",
+          "Mint Sandstorm",
+          "TunnelVision",
+          "COBALT MIRAGE"
         ]
       },
       "related": [
@@ -11573,7 +11579,8 @@
           "https://www.microsoft.com/en-us/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/"
         ],
         "synonyms": [
-          "Nemesis Kitten"
+          "Nemesis Kitten",
+          "Storm-0270"
         ]
       },
       "related": [