From 8c861848f8f54f28af5aaeb9501067a60fc2a0cb Mon Sep 17 00:00:00 2001
From: Daniel Roethlisberger <daniel@roe.ch>
Date: Tue, 17 Apr 2018 15:49:05 +0200
Subject: [PATCH] Add Comnie RAT.

---
 clusters/rat.json | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/clusters/rat.json b/clusters/rat.json
index 39933089..88c8535d 100644
--- a/clusters/rat.json
+++ b/clusters/rat.json
@@ -2421,6 +2421,17 @@
           "https://github.com/xlinshan/Coldroot"
         ]
       }
+    },
+    {
+      "value": "Comnie",
+      "description": "Comnie is a RAT originally identified by Sophos. It has been using Github, Tumbler and Blogspot as covert channels for its C2 communications. Comnie has been observed targetting government, defense, aerospace, high-tech and telecommunication sectors in Asia.",
+      "uuid": "fbc5bbb2-38b4-4fa3-9b9f-624e05cdc648",
+      "meta": {
+        "refs": [
+          "https://exchange.xforce.ibmcloud.com/collection/East-Asia-Organizations-Victims-of-Comnie-Attack-12749a9dbc20e2f40b3ae99c43416d8c",
+          "https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-target-organizations-east-asia/"
+        ]
+      }
     }
   ]
 }