From fdac01cd89ad165dedf785735f5cfcfc4be6de0a Mon Sep 17 00:00:00 2001
From: Mathieu Beligon <mathieu@feedly.com>
Date: Wed, 6 Dec 2023 17:42:33 -0800
Subject: [PATCH] [threat-actors] Add UNC2630

---
 clusters/threat-actor.json | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 3d2a291..09fa9a8 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -13757,6 +13757,18 @@
       },
       "uuid": "e3ff56b6-2663-46bd-9e5c-017a350896d9",
       "value": "UAC-0050"
+    },
+    {
+      "description": "UNC2630 is a threat actor believed to be affiliated with the Chinese government. They engage in cyber espionage activities, targeting organizations aligned with Beijing's strategic objectives. UNC2630 demonstrates advanced tradecraft and employs various malware families, including SLOWPULSE and RADIALPULSE, to compromise Pulse Secure VPN appliances. They also utilize modified binaries and scripts to maintain persistence and move laterally within compromised networks.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html",
+          "http://internal-www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"
+        ]
+      },
+      "uuid": "86dfe64e-7101-4d45-bb94-efc40c5e14fe",
+      "value": "UNC2630"
     }
   ],
   "version": 295