Merge pull request #967 from r0ny123/fix

Fix

clusters/threat-actor.json

@@ -8723,8 +8723,7 @@
           "Earth Baku",
           "Amoeba",
           "HOODOO",
-          "Brass Typhoon",
-          "Earth Freybug"
+          "Brass Typhoon"
         ]
       },
       "related": [
@@ -15855,25 +15854,15 @@
       "value": "UNC3569"
     },
     {
+      "description": "Earth Freybug, identified as a subset of APT41, is a cyberthreat group active since at least 2012, engaging in espionage and financially motivated activities across various sectors worldwide. The tactics, techniques, and procedures (TTPs) used in this campaign are similar to the ones from a campaign (Operation CuckooBees) described in an article published by Cybereason. They employ a diverse toolkit, including LOLBins and custom malware, to execute sophisticated cyberespionage attacks. The group's recent tactics involve DLL hijacking and API unhooking through a newly discovered malware named UNAPIMON, which prevents child processes from being monitored. This technique was observed in a vmtoolsd.exe process creating remote tasks to deploy malicious batch files for reconnaissance and backdoor access. UNAPIMON's simplicity and use of Microsoft Detours for defense evasion highlight the group's evolving methods and the need for vigilant security measures, such as restricting admin privileges and adhering to the principle of least privilege. Earth Freybug's persistence and creativity in refining their techniques underscore the ongoing threat they pose and the importance of proactive cybersecurity practices.",
       "meta": {
+        "country": "CN",
         "refs": [
-          "https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement"
-        ],
-        "synonyms": [
-          "Volt Typhoon"
+          "https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html"
         ]
       },
-      "related": [
-        {
-          "dest-uuid": "b2535333-629d-4cd6-a98b-14c86f6a57ee",
-          "tags": [
-            "estimative-language:likelihood-probability=\"likely\""
-          ],
-          "type": "associated-with"
-        }
-      ],
-      "uuid": "97c6d972-a3af-4a21-94a2-0f5e09c7320e",
-      "value": "UNC3236"
+      "uuid": "c6e2e5ba-ffad-4258-8b6e-775b3fa230c3",
+      "value": "Earth Freybug"
     },
     {
       "description": "Ghostr is a financially motivated threat actor known for stealing a confidential database containing 5.3 million records from the World-Check and leaking about 186GB of data from a stock trading platform. They have been active on Breachforums.is, revealing massive data breaches involving comprehensive details of Thai users, including full names, phone numbers, email addresses, and ID card numbers.",
@@ -15929,7 +15918,7 @@
         ]
       },
       "uuid": "3d94ef07-9fd6-4d64-bf1e-f1316f2686a4",
-      "value": "STORM-1849"
+      "value": "Storm-1849"
     },
     {
       "description": "USDoD is a threat actor known for leaking large databases of personal information, including from companies like Airbus and the U.S. Environmental Protection Agency. They have a history of engaging in high-profile data breaches, such as exposing data from the FBI's InfraGard program. USDoD has also been involved in web scraping to obtain information from websites like LinkedIn.",