From f0229fbdd2c066950c50cfa6522063d383456949 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Mon, 8 Jan 2024 05:23:28 -0800
Subject: [PATCH] [threat-actors] Add GREF

---
 clusters/threat-actor.json | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index c5acd1c..4692a32 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -13893,6 +13893,17 @@
       },
       "uuid": "94ce7925-1a37-4b02-a25b-b87a389c92b3",
       "value": "GambleForce"
+    },
+    {
+      "description": "GREF is a China-aligned APT group that has been active since at least March 2017. They are known for using custom backdoors, loaders, and ancillary tools in their targeted attacks. Recently, they have been attributed to two active Android campaigns that distribute the BadBazaar malware through malicious apps on official and alternative app stores. GREF has targeted Android users, particularly Uyghurs and other Turkic ethnic minorities outside of China, using trojanized versions of popular messaging apps like Signal and Telegram.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/"
+        ]
+      },
+      "uuid": "e6d16c22-0780-483c-9920-c1d9f27b10c8",
+      "value": "GREF"
     }
   ],
   "version": 296