From eb43d9faf248bc9af5e059725847d2a7500b618a Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Mon, 6 Nov 2023 05:26:25 -0800
Subject: [PATCH] [threat-actors] Add RedStinger

---
 clusters/threat-actor.json | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 897b5c5..2ef6b65 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -12356,6 +12356,20 @@
       },
       "uuid": "27e11cc5-1688-4aea-a98d-96e6c275d005",
       "value": "UNC3890"
+    },
+    {
+      "description": "In October 2022, Kaspersky identified an active infection of government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions. Although the initial vector of compromise is unclear, the details of the next stage imply the use of spear phishing or similar methods. The victims navigated to a URL pointing to a ZIP archive hosted on a malicious web server.",
+      "meta": {
+        "aliases": [
+          "Bad Magic"
+        ],
+        "refs": [
+          "https://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger",
+          "https://securelist.com/bad-magic-apt/109087/"
+        ]
+      },
+      "uuid": "b813c6a2-f8c7-4071-83bd-24c181ff2bd4",
+      "value": "RedStinger"
     }
   ],
   "version": 289