From f6f6ab550f905c21f0fd7e93a00620ff71a6e501 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Thu, 26 Sep 2024 17:36:42 +0200
Subject: [PATCH 1/3] chg: [ransomware] updated

---
 README.md                |  2 +-
 clusters/ransomware.json | 17 +++++++++++++++--
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index e5620d1a..8b3c6f9e 100644
--- a/README.md
+++ b/README.md
@@ -495,7 +495,7 @@ Category: *actor* - source: *MISP Project* - total: *38* elements
 
 [Ransomware](https://www.misp-galaxy.org/ransomware) - Ransomware galaxy based on different sources and maintained by the MISP Project.
 
-Category: *tool* - source: *Various* - total: *1804* elements
+Category: *tool* - source: *Various* - total: *1805* elements
 
 [[HTML](https://www.misp-galaxy.org/ransomware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ransomware.json)]
 
diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index 2a91f5c2..3ff94d11 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -28551,7 +28551,8 @@
       "description": "",
       "meta": {
         "links": [
-          "http://weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd.onion"
+          "http://weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd.onion",
+          "http://c7jpc6h2ccrdwmhofuij7kz6sr2fg2ndtbvvqy4fse23cf7m2e5hvqid.onion"
         ],
         "refs": [
           "https://www.ransomlook.io/group/black suit"
@@ -29682,7 +29683,19 @@
       },
       "uuid": "2a1e103b-da5f-56d6-a0c8-5daff4c4fd87",
       "value": "orca"
+    },
+    {
+      "meta": {
+        "links": [
+          "http://hackerosyolorz77y7vwj57zobwdeuzydhctz3kuuzr52ylzayvxuqyd.onion"
+        ],
+        "refs": [
+          "https://www.ransomlook.io/group/osyolorz collective"
+        ]
+      },
+      "uuid": "99ddf1b6-7d75-58f6-b340-47545fec5e55",
+      "value": "osyolorz collective"
     }
   ],
-  "version": 133
+  "version": 134
 }

From aeab78b95eada597f609ee9521bcff681634939c Mon Sep 17 00:00:00 2001
From: Rony <49360849+r0ny123@users.noreply.github.com>
Date: Thu, 26 Sep 2024 17:12:54 +0000
Subject: [PATCH 2/3] chg: [threat-actor] `GhostEmperor` updated

---
 clusters/threat-actor.json | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 3cce334d..d51bb9c6 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -15233,8 +15233,18 @@
       "meta": {
         "country": "CN",
         "refs": [
-          "https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation",
-          "https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/"
+          "https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/",
+          "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/30094337/GhostEmperor_technical-details_PDF_eng.pdf",
+          "https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/",
+          "https://www.ncsc.gov.uk/files/NCSC-MAR-SparrowDoor.pdf",
+          "https://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation",
+          "https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/",
+          "https://www.wsj.com/politics/national-security/china-cyberattack-internet-providers-260bd835"
+        ],
+        "synonyms": [
+          "FamousSparrow",
+          "UNC2286",
+          "Salt Typhoon"
         ]
       },
       "uuid": "3c3ca8f3-c6ab-4c5d-9bd0-be6677d6cdeb",

From e6db8c579a4ae9623dea49674869b206b7e9841d Mon Sep 17 00:00:00 2001
From: Rony <49360849+r0ny123@users.noreply.github.com>
Date: Thu, 26 Sep 2024 18:21:38 +0000
Subject: [PATCH 3/3] chg: [threat-actor] added a relationship between `Earth
 Estries` and `GhostEmperor`

---
 clusters/threat-actor.json | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index d51bb9c6..65613817 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -12795,6 +12795,15 @@
           "https://www.sentinelone.com/labs/cyber-soft-power-chinas-continental-takeover/"
         ]
       },
+      "related": [
+        {
+          "dest-uuid": "3c3ca8f3-c6ab-4c5d-9bd0-be6677d6cdeb",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        }
+      ],
       "uuid": "1f7f4a51-c4a8-4365-ade3-83b222e7cb67",
       "value": "Earth Estries"
     },
@@ -15247,6 +15256,15 @@
           "Salt Typhoon"
         ]
       },
+      "related": [
+        {
+          "dest-uuid": "1f7f4a51-c4a8-4365-ade3-83b222e7cb67",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        }
+      ],
       "uuid": "3c3ca8f3-c6ab-4c5d-9bd0-be6677d6cdeb",
       "value": "GhostEmperor"
     },