From ee2a8bec3212779e0522901017ad0677f224d91f Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Mon, 20 Nov 2023 09:29:07 -0800
Subject: [PATCH] [threat-actors] Add TA402

---
 clusters/threat-actor.json | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index f7d4221..2aaafb3 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -13340,6 +13340,18 @@
       },
       "uuid": "5587f082-349b-46ab-9e6f-303d9bfd1e1b",
       "value": "CostaRicto"
+    },
+    {
+      "description": "TA402 is an APT group that has been tracked by Proofpoint since  2020. They primarily target government entities in the Middle East and North Africa, with a focus on intelligence collection. TA402 is known for using sophisticated phishing campaigns and constantly updating their malware implants and delivery methods to evade detection. They have been observed using cloud services like Dropbox and Google Drive for hosting malicious payloads and command-and-control infrastructure.",
+      "meta": {
+        "country": "PS",
+        "refs": [
+          "https://www.proofpoint.com/us/blog/threat-insight/ta402-uses-complex-ironwind-infection-chains-target-middle-east-based-government",
+          "https://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionage"
+        ]
+      },
+      "uuid": "aad291eb-08d1-4af4-9dd1-e90fe1f2d6c6",
+      "value": "TA402"
     }
   ],
   "version": 294