From e97ecd46b0810fdbf7b19c98008a22f615ee14cd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mathieu=20B=C3=A9ligon?= <beligonmathieu@gmail.com>
Date: Tue, 21 May 2024 19:23:04 +0200
Subject: [PATCH] Add phantomcore reference

Co-authored-by: Rony <49360849+r0ny123@users.noreply.github.com>
---
 clusters/threat-actor.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 278e80ae..cd41dc9a 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -15952,7 +15952,8 @@
       "description": "PhantomCore is a threat actor group known for using a remote access malware called PhantomRAT. They have been observed executing malicious code through specially crafted RAR archives, different from previous attacks exploiting vulnerabilities. The attribution of their campaign to Ukraine is uncertain due to limited visibility inside Russian networks. PhantomCore's use of RAR archives in their attack chain has been previously observed in other threat actor groups like Forest Blizzard.",
       "meta": {
         "refs": [
-          "https://therecord.media/russian-researchers-winrar-bug-ukraine-espionage"
+          "https://therecord.media/russian-researchers-winrar-bug-ukraine-espionage",
+          "https://www.facct.ru/blog/phantomdl-loader"
         ]
       },
       "uuid": "485947c7-edb6-4a07-9276-2114dc767551",