From f066061f4b208d9d5cbea159b68a9b934f6d9d66 Mon Sep 17 00:00:00 2001
From: Mathieu Beligon <mathieu@feedly.com>
Date: Wed, 29 Nov 2023 11:28:37 -0800
Subject: [PATCH] [threat-actors] Add Blacktail

---
 clusters/threat-actor.json | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 0ca3a2f..7a52ac8 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -13513,6 +13513,19 @@
       },
       "uuid": "55bcc595-2442-4f98-9477-7fe9b507607c",
       "value": "SilverFish"
+    },
+    {
+      "description": "Blacktail is a cybercrime group that has gained attention for its ransomware campaigns, particularly the Buhti ransomware. They are known for using custom-built data exfiltration tools and have been observed exploiting vulnerabilities in both Windows and Linux systems.",
+      "meta": {
+        "refs": [
+          "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/buhti-ransomware",
+          "https://fortiguard.fortinet.com/threat-signal-report/5170",
+          "https://www.redpacketsecurity.com/new-buhti-ransomware-gang-uses-leaked-windows-linux-encryptors/",
+          "https://www.redpacketsecurity.com/buhti-ransomware-gang-switches-tactics-utilizes-leaked-lockbit-and-babuk-code/"
+        ]
+      },
+      "uuid": "e06e1bcd-7da2-4732-934a-9fa1efa427ad",
+      "value": "Blacktail"
     }
   ],
   "version": 295