From e333b150638ecc0081dbf6580aef6fd7703de5a9 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Fri, 17 Nov 2023 02:59:55 -0800
Subject: [PATCH] [threat-actors] Add TEMP_Heretic

---
 clusters/threat-actor.json | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index c603f47..1c65bf6 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -13159,6 +13159,18 @@
       },
       "uuid": "8345dd24-7884-48e3-b231-4791d31afe3d",
       "value": "DEV-0928"
+    },
+    {
+      "description": "TEMP_Heretic is a threat actor that has been observed engaging in targeted spear-phishing campaigns. They exploit vulnerabilities in email platforms, such as Zimbra, to exfiltrate emails from government, military, and media organizations. They use multiple outlook.com email addresses and manually craft content for each email before sending it.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://www.welivesecurity.com/en/eset-research/mass-spreading-campaign-targeting-zimbra-users/",
+          "https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/"
+        ]
+      },
+      "uuid": "8dfac62e-395e-4e47-b6b6-8ab817ac25c1",
+      "value": "TEMP_Heretic"
     }
   ],
   "version": 294