From f5ff479a13f249bc16a9d6f40b9fb9ba959f1a68 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Thu, 4 Aug 2016 15:43:16 +0200
Subject: [PATCH] NANHAISHU added

---
 elements/threat-actor-tools.json | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/elements/threat-actor-tools.json b/elements/threat-actor-tools.json
index ad6f88c..4c260ba 100644
--- a/elements/threat-actor-tools.json
+++ b/elements/threat-actor-tools.json
@@ -491,6 +491,11 @@
       "value": "Prikormka",
       "description": "Operation Groundbait based on our research into the Prikormka malware family. This includes detailed technical analysis of the Prikormka malware family and its spreading mechanisms, and a description of the most noteworthy attack campaigns.",
       "refs": ["http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf"]
+    },
+    {
+      "value": "NanHaiShu",
+      "description": "This whitepaper details a malicious program we identify as NanHaiShu. Based on our analysis, the threat actor behind this malware targets government and private-sector organizations.",
+      "refs": ["https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf"]
     }
 
   ],