diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index c5acd1c..4692a32 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -13893,6 +13893,17 @@
       },
       "uuid": "94ce7925-1a37-4b02-a25b-b87a389c92b3",
       "value": "GambleForce"
+    },
+    {
+      "description": "GREF is a China-aligned APT group that has been active since at least March 2017. They are known for using custom backdoors, loaders, and ancillary tools in their targeted attacks. Recently, they have been attributed to two active Android campaigns that distribute the BadBazaar malware through malicious apps on official and alternative app stores. GREF has targeted Android users, particularly Uyghurs and other Turkic ethnic minorities outside of China, using trojanized versions of popular messaging apps like Signal and Telegram.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/"
+        ]
+      },
+      "uuid": "e6d16c22-0780-483c-9920-c1d9f27b10c8",
+      "value": "GREF"
     }
   ],
   "version": 296