From f1d514afc41a6f75b519fdc85de0945a0034fe06 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Thu, 1 Feb 2024 11:01:56 -0800
Subject: [PATCH] [threat-actors] Add Cuboid Sandstorm

---
 clusters/threat-actor.json | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index b75494f..36f2768 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -14173,6 +14173,20 @@
       },
       "uuid": "46104ded-49f5-4440-bd25-e05c1126f0ba",
       "value": "Blue Tsunami"
+    },
+    {
+      "description": "Cuboid Sandstorm is an Iranian threat actor that targeted an Israel-based IT company in July 2021. They gained access to the company's network and used it to compromise downstream customers in the defense, energy, and legal sectors in Israel. The group also utilized custom implants, including a remote access Trojan disguised as RuntimeBroker.exe or svchost.exe, to establish persistence on victim hosts.",
+      "meta": {
+        "country": "IR",
+        "refs": [
+          "https://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/"
+        ],
+        "synonyms": [
+          "DEV-0228"
+        ]
+      },
+      "uuid": "a4004712-f74b-4c8c-b1fb-bb7229bc2da1",
+      "value": "Cuboid Sandstorm"
     }
   ],
   "version": 298