Merge pull request #912 from Mathieu4141/threat-actors/e9aabcbd-e284-4f9a-8fe1-866cc0a8cd5a

[threa-actors] Add 10 actors
2024-01-08 16:57:54 +01:00 · 2024-01-08 16:57:54 +01:00 · e53c4db1fe
parent c8e8a14b04 1669da1661
commit e53c4db1fe
1 changed files with 122 additions and 0 deletions
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -13893,6 +13893,128 @@
      },
      "uuid": "94ce7925-1a37-4b02-a25b-b87a389c92b3",
      "value": "GambleForce"
+    },
+    {
+      "description": "GREF is a China-aligned APT group that has been active since at least March 2017. They are known for using custom backdoors, loaders, and ancillary tools in their targeted attacks. Recently, they have been attributed to two active Android campaigns that distribute the BadBazaar malware through malicious apps on official and alternative app stores. GREF has targeted Android users, particularly Uyghurs and other Turkic ethnic minorities outside of China, using trojanized versions of popular messaging apps like Signal and Telegram.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/"
+        ]
+      },
+      "uuid": "e6d16c22-0780-483c-9920-c1d9f27b10c8",
+      "value": "GREF"
+    },
+    {
+      "description": "PhantomControl is a sophisticated threat actor that emerged in November 2023. They utilize phishing emails as their initial infection vector and employ a ScreenConnect client to establish a connection for their malicious activities. Their arsenal includes a VBS script that hides its true intentions and reveals a complex mechanism involving PowerShell scripts and image-based data retrieval. PhantomControl has been associated with the Blind Eagle threat actors, showcasing their versatility and reach.",
+      "meta": {
+        "refs": [
+          "https://www.esentire.com/blog/phantomcontrol-returns-with-ande-loader-and-swaetrat",
+          "https://www.esentire.com/blog/operation-phantomcontrol",
+          "https://securityonline.info/esentire-vs-phantom-unveiling-the-cyber-spooks-dance-of-darkness/"
+        ]
+      },
+      "uuid": "a2208d56-8f08-4ca3-a304-8bdc334b5ebf",
+      "value": "PhantomControl"
+    },
+    {
+      "description": "Team-Xecuter is a hacking group led by Gary Bowser, also known as GaryOPA. They were involved in a piracy conspiracy against Nintendo, creating and selling illegal circumvention devices that allowed users to hack video game consoles for playing pirated games. Gary Bowser has admitted his participation in this activity and is facing legal consequences.",
+      "meta": {
+        "refs": [
+          "https://www.newslocker.com/en-uk/profession/security/ohio-schools-get-new-cybersecurity-resource/"
+        ]
+      },
+      "uuid": "ef9f4e6d-4262-4fca-9535-56af9e46281f",
+      "value": "Team-Xecuter"
+    },
+    {
+      "description": "KelvinSecurity is a hacker group that has been active since at least 2015. They are known for their hacktivist and black hat activities, targeting public and private organizations globally. The group sells and leaks databases, documents, and access belonging to their victims, often on the dark web or their own platforms. They have been involved in attacks against various sectors, including telecommunications, political parties, and healthcare.",
+      "meta": {
+        "country": "ES",
+        "refs": [
+          "https://securelist.com/kaspersky-security-bulletin-apt-predictions-2024/111048/",
+          "https://www.privacyaffairs.com/kelvinsecurity-hacking-group-morena/",
+          "https://www.databreaches.net/bits-n-pieces-trozos-y-piezas-31/",
+          "https://www.ibtimes.com/anonymous-challenges-russias-supposed-cyber-prowess-repeat-rosatom-breach-leaks-data-3505131"
+        ]
+      },
+      "uuid": "7b8845d9-d7f5-4895-9dcc-54da3492bd55",
+      "value": "KelvinSecurity"
+    },
+    {
+      "description": "Storm-1113 is a threat actor that acts both as an access broker focused on malware distribution through search advertisements and as an “as-a-service” entity providing malicious installers and landing page frameworks. In Storm-1113 malware distribution campaigns, users are directed to landing pages mimicking well-known software that host installers, often MSI files, that lead to the installation of malicious payloads. Storm-1113 is also the developer of EugenLoader, a commodity malware first observed around November 2022.",
+      "meta": {
+        "refs": [
+          "https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/"
+        ]
+      },
+      "uuid": "993e81e8-63f4-4666-9538-4053a69287ba",
+      "value": "Storm-1113"
+    },
+    {
+      "description": "HomeLand Justice is an Iranian state-sponsored cyber threat group that has been active since at least May 2021. They have targeted various organizations, including a well-known telecommunication company and the Albanian Parliament. The group engaged in information operations and messaging campaigns to amplify the impact of their attacks.",
+      "meta": {
+        "country": "IR",
+        "refs": [
+          "https://www.picussecurity.com/resource/blog/cisa-alert-aa22-264a-iranian-homeland-justice-apt-groups-ttp",
+          "https://www.attackiq.com/2022/09/23/attack-graph-response-to-us-cert-alert-aa22-264a-iranian-state-actors-conduct-cyber-operations-against-the-government-of-albania/",
+          "https://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against"
+        ]
+      },
+      "uuid": "bfc538e1-9205-420a-8641-6292023ecd08",
+      "value": "HomeLand Justice"
+    },
+    {
+      "description": "UAC-0099 is a threat actor that has been active since at least May 2023, targeting Ukrainian entities. They have been observed using a known WinRAR vulnerability to carry out attacks, indicating a level of sophistication. The actor relies on PowerShell and the creation of scheduled tasks to execute malicious VBS files for initial infection. Monitoring and limiting the functionality of these components can help mitigate the risk of UAC-0099 attacks.",
+      "meta": {
+        "refs": [
+          "https://cert.gov.ua/article/4818341",
+          "https://www.deepinstinct.com/blog/threat-actor-uac-0099-continues-to-target-ukraine"
+        ]
+      },
+      "uuid": "267488cb-159a-46d6-a6d6-fe93c90360b2",
+      "value": "UAC-0099"
+    },
+    {
+      "description": "Gray Sandstorm is an Iran-linked threat actor that has been active since at least 2012. They have targeted defense technology companies, maritime transportation companies, and Persian Gulf ports of entry. Their primary method of attack is password spraying, and they have been observed using tools like o365spray. They have a specific focus on US and Israeli targets and are likely operating in support of Iranian interests.",
+      "meta": {
+        "country": "IR",
+        "refs": [
+          "https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/",
+          "https://www.microsoft.com/en-us/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/"
+        ],
+        "synonyms": [
+          "DEV-0343"
+        ]
+      },
+      "uuid": "6ea73b7f-b2e5-4e6d-a1ff-705f91175613",
+      "value": "Gray Sandstorm"
+    },
+    {
+      "description": "ThreatSec is a hacktivist group that has targeted various organizations, including internet service providers in Gaza. They claim to fight for the rights and freedom of the oppressed and do not prioritize monetary gain. The group is part of the \"Five Families\" consortium, which includes other hacktivist groups such as GhostSec and Stormous. ThreatSec has been involved in cyberattacks, data breaches, and ransomware activities.",
+      "meta": {
+        "refs": [
+          "https://www.resecurity.com/blog/article/ransomedvc-in-the-spotlight-what-we-know-about-the-ransomware-group-targeting-major-japanese-businesses",
+          "https://socradar.io/the-five-families-hacker-collaboration-redefining-the-game/"
+        ]
+      },
+      "uuid": "179deaab-12d2-4371-b499-51b925546a22",
+      "value": "Threatsec"
+    },
+    {
+      "description": "Cyber Toufan is a threat actor group that has gained prominence for its cyberattacks targeting Israeli organizations. The group's tactics suggest potential nation-state backing, possibly from Iran. They have been involved in hack-and-leak operations, data breaches, and data destruction, impacting over 100 organizations. Cyber Toufan's activities align with geopolitical tensions in the Middle East and their attacks are characterized by a combination of technical breaches and psychological warfare.",
+      "meta": {
+        "country": "IR",
+        "refs": [
+          "https://www.darkreading.com/cyberattacks-data-breaches/-cyber-toufan-hacktivists-leaked-100-plus-israeli-orgs-in-one-month",
+          "https://socradar.io/dark-web-profile-cyber-toufan-al-aqsa/",
+          "https://research.checkpoint.com/2023/11th-december-threat-intelligence-report/",
+          "https://blog.polyswarm.io/2023-recap-cyber-activity-in-the-gaza-conflict",
+          "https://www.securityweek.com/palestinian-hackers-hit-100-israeli-organizations-in-destructive-attacks/"
+        ]
+      },
+      "uuid": "3decddc7-e554-48d8-8304-38b243fc9ccb",
+      "value": "Cyber Toufan"
    }
  ],
  "version": 296