From f0229fbdd2c066950c50cfa6522063d383456949 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 8 Jan 2024 05:23:28 -0800 Subject: [PATCH 01/10] [threat-actors] Add GREF --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c5acd1c..4692a32 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13893,6 +13893,17 @@ }, "uuid": "94ce7925-1a37-4b02-a25b-b87a389c92b3", "value": "GambleForce" + }, + { + "description": "GREF is a China-aligned APT group that has been active since at least March 2017. They are known for using custom backdoors, loaders, and ancillary tools in their targeted attacks. Recently, they have been attributed to two active Android campaigns that distribute the BadBazaar malware through malicious apps on official and alternative app stores. GREF has targeted Android users, particularly Uyghurs and other Turkic ethnic minorities outside of China, using trojanized versions of popular messaging apps like Signal and Telegram.", + "meta": { + "country": "CN", + "refs": [ + "https://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/" + ] + }, + "uuid": "e6d16c22-0780-483c-9920-c1d9f27b10c8", + "value": "GREF" } ], "version": 296 From a6564bf61c1af08b19d27ba588a9cb52be758c12 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 8 Jan 2024 05:23:28 -0800 Subject: [PATCH 02/10] [threat-actors] Add PhantomControl --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4692a32..c813e26 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13904,6 +13904,18 @@ }, "uuid": "e6d16c22-0780-483c-9920-c1d9f27b10c8", "value": "GREF" + }, + { + "description": "PhantomControl is a sophisticated threat actor that emerged in November 2023. They utilize phishing emails as their initial infection vector and employ a ScreenConnect client to establish a connection for their malicious activities. Their arsenal includes a VBS script that hides its true intentions and reveals a complex mechanism involving PowerShell scripts and image-based data retrieval. PhantomControl has been associated with the Blind Eagle threat actors, showcasing their versatility and reach.", + "meta": { + "refs": [ + "https://www.esentire.com/blog/phantomcontrol-returns-with-ande-loader-and-swaetrat", + "https://www.esentire.com/blog/operation-phantomcontrol", + "https://securityonline.info/esentire-vs-phantom-unveiling-the-cyber-spooks-dance-of-darkness/" + ] + }, + "uuid": "a2208d56-8f08-4ca3-a304-8bdc334b5ebf", + "value": "PhantomControl" } ], "version": 296 From 05f260c9d838275913b9253b61b5fd9a2eb16c9b Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 8 Jan 2024 05:23:28 -0800 Subject: [PATCH 03/10] [threat-actors] Add Team-Xecuter --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c813e26..159f17b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13916,6 +13916,16 @@ }, "uuid": "a2208d56-8f08-4ca3-a304-8bdc334b5ebf", "value": "PhantomControl" + }, + { + "description": "Team-Xecuter is a hacking group led by Gary Bowser, also known as GaryOPA. They were involved in a piracy conspiracy against Nintendo, creating and selling illegal circumvention devices that allowed users to hack video game consoles for playing pirated games. Gary Bowser has admitted his participation in this activity and is facing legal consequences.", + "meta": { + "refs": [ + "https://www.newslocker.com/en-uk/profession/security/ohio-schools-get-new-cybersecurity-resource/" + ] + }, + "uuid": "ef9f4e6d-4262-4fca-9535-56af9e46281f", + "value": "Team-Xecuter" } ], "version": 296 From ce4be94d8b9d6cdffa8785e36478ccfa04c11a09 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 8 Jan 2024 05:23:28 -0800 Subject: [PATCH 04/10] [threat-actors] Add KelvinSecurity --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 159f17b..4de8e76 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13926,6 +13926,20 @@ }, "uuid": "ef9f4e6d-4262-4fca-9535-56af9e46281f", "value": "Team-Xecuter" + }, + { + "description": "KelvinSecurity is a hacker group that has been active since at least 2015. They are known for their hacktivist and black hat activities, targeting public and private organizations globally. The group sells and leaks databases, documents, and access belonging to their victims, often on the dark web or their own platforms. They have been involved in attacks against various sectors, including telecommunications, political parties, and healthcare.", + "meta": { + "country": "ES", + "refs": [ + "https://securelist.com/kaspersky-security-bulletin-apt-predictions-2024/111048/", + "https://www.privacyaffairs.com/kelvinsecurity-hacking-group-morena/", + "https://www.databreaches.net/bits-n-pieces-trozos-y-piezas-31/", + "https://www.ibtimes.com/anonymous-challenges-russias-supposed-cyber-prowess-repeat-rosatom-breach-leaks-data-3505131" + ] + }, + "uuid": "7b8845d9-d7f5-4895-9dcc-54da3492bd55", + "value": "KelvinSecurity" } ], "version": 296 From 2c7adf27a0734097a2f715ee2c20ddf746a5001f Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 8 Jan 2024 05:23:29 -0800 Subject: [PATCH 05/10] [threat-actors] Add Storm-1113 --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4de8e76..48654f4 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13940,6 +13940,16 @@ }, "uuid": "7b8845d9-d7f5-4895-9dcc-54da3492bd55", "value": "KelvinSecurity" + }, + { + "description": "Storm-1113 is a threat actor that acts both as an access broker focused on malware distribution through search advertisements and as an “as-a-service” entity providing malicious installers and landing page frameworks. In Storm-1113 malware distribution campaigns, users are directed to landing pages mimicking well-known software that host installers, often MSI files, that lead to the installation of malicious payloads. Storm-1113 is also the developer of EugenLoader, a commodity malware first observed around November 2022.", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/" + ] + }, + "uuid": "993e81e8-63f4-4666-9538-4053a69287ba", + "value": "Storm-1113" } ], "version": 296 From fc8db1a4d2097313893908a45a2a6fc16de1fe80 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 8 Jan 2024 05:23:29 -0800 Subject: [PATCH 06/10] [threat-actors] Add HomeLand Justice --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 48654f4..8cd0b5a 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13950,6 +13950,19 @@ }, "uuid": "993e81e8-63f4-4666-9538-4053a69287ba", "value": "Storm-1113" + }, + { + "description": "HomeLand Justice is an Iranian state-sponsored cyber threat group that has been active since at least May 2021. They have targeted various organizations, including a well-known telecommunication company and the Albanian Parliament. The group engaged in information operations and messaging campaigns to amplify the impact of their attacks.", + "meta": { + "country": "IR", + "refs": [ + "https://www.picussecurity.com/resource/blog/cisa-alert-aa22-264a-iranian-homeland-justice-apt-groups-ttp", + "https://www.attackiq.com/2022/09/23/attack-graph-response-to-us-cert-alert-aa22-264a-iranian-state-actors-conduct-cyber-operations-against-the-government-of-albania/", + "https://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against" + ] + }, + "uuid": "bfc538e1-9205-420a-8641-6292023ecd08", + "value": "HomeLand Justice" } ], "version": 296 From 273379e5fa9960ab0de111a8a187e406ec500cbd Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 8 Jan 2024 05:23:29 -0800 Subject: [PATCH 07/10] [threat-actors] Add UAC-0099 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8cd0b5a..1aa09a2 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13963,6 +13963,17 @@ }, "uuid": "bfc538e1-9205-420a-8641-6292023ecd08", "value": "HomeLand Justice" + }, + { + "description": "UAC-0099 is a threat actor that has been active since at least May 2023, targeting Ukrainian entities. They have been observed using a known WinRAR vulnerability to carry out attacks, indicating a level of sophistication. The actor relies on PowerShell and the creation of scheduled tasks to execute malicious VBS files for initial infection. Monitoring and limiting the functionality of these components can help mitigate the risk of UAC-0099 attacks.", + "meta": { + "refs": [ + "https://cert.gov.ua/article/4818341", + "https://www.deepinstinct.com/blog/threat-actor-uac-0099-continues-to-target-ukraine" + ] + }, + "uuid": "267488cb-159a-46d6-a6d6-fe93c90360b2", + "value": "UAC-0099" } ], "version": 296 From 97ed1bda8b9d08f2e5da506cacdcc16c2776ba58 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 8 Jan 2024 05:23:29 -0800 Subject: [PATCH 08/10] [threat-actors] Add Gray Sandstorm --- clusters/threat-actor.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1aa09a2..ce52508 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13974,6 +13974,21 @@ }, "uuid": "267488cb-159a-46d6-a6d6-fe93c90360b2", "value": "UAC-0099" + }, + { + "description": "Gray Sandstorm is an Iran-linked threat actor that has been active since at least 2012. They have targeted defense technology companies, maritime transportation companies, and Persian Gulf ports of entry. Their primary method of attack is password spraying, and they have been observed using tools like o365spray. They have a specific focus on US and Israeli targets and are likely operating in support of Iranian interests.", + "meta": { + "country": "IR", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/", + "https://www.microsoft.com/en-us/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/" + ], + "synonyms": [ + "DEV-0343" + ] + }, + "uuid": "6ea73b7f-b2e5-4e6d-a1ff-705f91175613", + "value": "Gray Sandstorm" } ], "version": 296 From 09b90261ee03c3d812da5aa1f459e7368e0d1124 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 8 Jan 2024 05:23:29 -0800 Subject: [PATCH 09/10] [threat-actors] Add Threatsec --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ce52508..c600a8b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13989,6 +13989,17 @@ }, "uuid": "6ea73b7f-b2e5-4e6d-a1ff-705f91175613", "value": "Gray Sandstorm" + }, + { + "description": "ThreatSec is a hacktivist group that has targeted various organizations, including internet service providers in Gaza. They claim to fight for the rights and freedom of the oppressed and do not prioritize monetary gain. The group is part of the \"Five Families\" consortium, which includes other hacktivist groups such as GhostSec and Stormous. ThreatSec has been involved in cyberattacks, data breaches, and ransomware activities.", + "meta": { + "refs": [ + "https://www.resecurity.com/blog/article/ransomedvc-in-the-spotlight-what-we-know-about-the-ransomware-group-targeting-major-japanese-businesses", + "https://socradar.io/the-five-families-hacker-collaboration-redefining-the-game/" + ] + }, + "uuid": "179deaab-12d2-4371-b499-51b925546a22", + "value": "Threatsec" } ], "version": 296 From 1669da1661cd3d22b9512c71afa668a2a6067a2f Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 8 Jan 2024 05:23:29 -0800 Subject: [PATCH 10/10] [threat-actors] Add Cyber Toufan --- clusters/threat-actor.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c600a8b..7d9ec83 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14000,6 +14000,21 @@ }, "uuid": "179deaab-12d2-4371-b499-51b925546a22", "value": "Threatsec" + }, + { + "description": "Cyber Toufan is a threat actor group that has gained prominence for its cyberattacks targeting Israeli organizations. The group's tactics suggest potential nation-state backing, possibly from Iran. They have been involved in hack-and-leak operations, data breaches, and data destruction, impacting over 100 organizations. Cyber Toufan's activities align with geopolitical tensions in the Middle East and their attacks are characterized by a combination of technical breaches and psychological warfare.", + "meta": { + "country": "IR", + "refs": [ + "https://www.darkreading.com/cyberattacks-data-breaches/-cyber-toufan-hacktivists-leaked-100-plus-israeli-orgs-in-one-month", + "https://socradar.io/dark-web-profile-cyber-toufan-al-aqsa/", + "https://research.checkpoint.com/2023/11th-december-threat-intelligence-report/", + "https://blog.polyswarm.io/2023-recap-cyber-activity-in-the-gaza-conflict", + "https://www.securityweek.com/palestinian-hackers-hit-100-israeli-organizations-in-destructive-attacks/" + ] + }, + "uuid": "3decddc7-e554-48d8-8304-38b243fc9ccb", + "value": "Cyber Toufan" } ], "version": 296