Skip to content

Commit

Permalink
Merge pull request #890 from Mathieu4141/threat-actors/7ca42298-3f55-…
Browse files Browse the repository at this point in the history
…49c0-b88d-dc7b14733dbb

[threat-actors] Add 10 actors
  • Loading branch information
adulau authored Nov 7, 2023
2 parents 4b4f1e8 + f52382a commit 89e39dd
Showing 1 changed file with 123 additions and 0 deletions.
123 changes: 123 additions & 0 deletions clusters/threat-actor.json
Original file line number Diff line number Diff line change
Expand Up @@ -12688,6 +12688,129 @@
},
"uuid": "825abfd9-7238-4438-a9e7-c08791f4df4e",
"value": "TraderTraitor"
},
{
"description": "The Dark Overlord is a financially motivated ransomware group that has been active since 2016. The group is known for targeting large organizations, including Netflix, ABC, and Miramax.",
"meta": {
"refs": [
"https://www.databreaches.net/peachtree-orthopedics-alerts-patients-of-cyberattack-third-patient-data-breach-in-seven-years/",
"http://securityaffairs.co/wordpress/64782/data-breach/london-bridge-plastic-surgery-hack.html",
"http://www.csoonline.com/article/3193397/security/no-netflix-is-not-a-victim-of-ransomware.html"
]
},
"uuid": "167bd5f9-fa61-4a4e-91bc-3ca0d17294b2",
"value": "TheDarkOverlord"
},
{
"description": "UNC2565 is a threat group that has used the GOOTLOADER downloader to deliver Cobalt Strike BEACON. These intrusions have stemmed from victims accessing malicious websites that use SEO techniques to improve Google search rankings. After obtaining a foothold in the environment, UNC2565 has conducted reconnaissance and credential harvesting activity using common tools such as BLOODHOUND and KERBEROAST. UNC2565's motivations are currently unknown but overlaps with activity that has led to SODINOKIBI ransomware. This suggests that the threat group may be financially motivated.",
"meta": {
"refs": [
"https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations",
"https://socradar.io/new-gootloader-variant-gootbot-changes-the-game-in-malware-tactics/",
"https://securityintelligence.com/x-force/gootbot-gootloaders-new-approach-to-post-exploitation/"
],
"synonyms": [
"Hive0127"
]
},
"uuid": "d7d270d2-b91f-4978-a9e9-76fa7f0d8f06",
"value": "UNC2565"
},
{
"description": "Desorden (Disorder in Spanish, previously known as ChaosCC), is a financially motivated hacker group. The group first emerged under the new name Desorden in September 2021, on Raidforums. Today the group maintains users under that name on several popular English-speaking hacking forums, where they share their attacks and ransom demands, and offer databases for sale. The group gained an excellent reputation among the cybercriminal communities due to their successful operations and the unique data that they share and offer for sale.",
"meta": {
"refs": [
"https://www.databreaches.net/major-malaysian-water-utilities-company-hit-by-hackers-ranhill-offline-hackers-claim-databases-and-backups-deleted/",
"https://www.databreaches.net/one-month-later-ranhill-still-hasnt-fully-recovered-from-cyberattack/",
"https://www.databreaches.net/malaysian-online-stock-brokerage-firm-victim-of-cyberattack/",
"https://www.databreaches.net/johnson-fitness-and-wellness-hit-by-desorden-group/",
"https://www.databreaches.net/thailands-the-icon-group-hacked-by-desorden/",
"https://www.databreaches.net/customer-data-from-hundreds-of-indonesian-and-malaysian-restaurants-hacked-by-desorden/",
"https://www.databreaches.net/major-indonesia-tollroad-operator-hacked-by-desorden/",
"https://www.databreaches.net/recent-cyberattacks-put-thai-citizens-privacy-and-data-security-at-greater-risk/",
"https://www.databreaches.net/thai-entities-continue-to-fall-prey-to-cyberattacks-and-leaks/",
"https://seclists.org/dataloss/2021/q4/81"
]
},
"uuid": "e89ebfcb-e7a3-4b2d-b0d7-399bb4904e27",
"value": "Desorden Group"
},
{
"description": "Confucius is an APT organization funded by India. It has been carrying out cyber attacks since 2013. Its main targets are India's neighbouring countries such as Pakistan and China. It has a strong interest in targets in the fields of military, government and energy.",
"meta": {
"country": "IN",
"refs": [
"https://medium.com/@knownsec404team/apt-k-47-mysterious-elephant-a-new-apt-organization-in-south-asia-5c66f954477",
"https://blog.nsfocus.net/aptconfuciuspakistanibo/"
]
},
"uuid": "54618130-55d3-4506-b62b-67f2dca12b04",
"value": "Confucious"
},
{
"description": "CrowdStrike identified a cryptojacking campaign targeting vulnerable Docker and Kubernetes infrastructure. Called “Kiss-a-dog,” the campaign targets Docker and Kubernetes infrastructure using an obscure domain from the payload, container escape attempt and anonymized “dog” mining pools.",
"meta": {
"refs": [
"https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/"
]
},
"uuid": "1db6375f-0471-47c5-8128-5ab1519b01ab",
"value": "Kiss-a-Dog"
},
{
"description": "Microsoft reported on MCCrash, an IoT botnet operated by the DEV-1028 threat actor and used to launch DDoS attacks against private Minecraft servers.",
"meta": {
"refs": [
"https://www.microsoft.com/en-us/security/blog/2022/12/15/mccrash-cross-platform-ddos-botnet-targets-private-minecraft-servers/"
]
},
"uuid": "6616d2ac-2025-47f8-bb1a-1ece2b627c16",
"value": "DEV-1028"
},
{
"description": "TwoSail Junk directs visitors to its exploit site by posting links within the threads of forum discussions, or creating new topic threads of their own. To date, dozens of visits were recorded from within Hong Kong, with a couple from Macau. The technical details around the functionality of the iOS implant, called LightSpy, and related infrastructure, reveal a low-to-mid capable actor. However, the iOS implant is a modular and exhaustively functional iOS surveillance framework.",
"meta": {
"refs": [
"https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/",
"https://securelist.com/apt-annual-review-what-the-worlds-threat-actors-got-up-to-in-2020/99574/"
]
},
"uuid": "533af03d-e160-4312-a92f-0500055f2b56",
"value": "TwoSail Junk"
},
{
"description": "Cloud security company Lacework says it discovered a threat actor group named Xcatze that uses a Python named AndroxGh0st to take over AWS servers and send out massive email spam campaigns. Lacework says the malware operates by scanning web apps written in the Laravel PHP framework for exposed configuration files to identify and steal server credentials. Researchers said AndroxGh0st specifically searches for AWS, SendGrid, and Twilio credentials, which it uses to take control of email servers and accounts and send out the spam campaigns.",
"meta": {
"refs": [
"https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys/"
]
},
"uuid": "83764206-8012-47c6-9c7a-dc04c99559e7",
"value": "Xcatze"
},
{
"description": "Bluebottle, a cyber-crime group that specializes in targeted attacks against the financial sector, is continuing to mount attacks on banks in Francophone countries. The group makes extensive use of living off the land, dual-use tools, and commodity malware, with no custom malware deployed in this campaign.",
"meta": {
"refs": [
"http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa"
]
},
"uuid": "87f1ab70-a102-4566-a09e-838b39c18a62",
"value": "BlueBottle"
},
{
"description": "The group usually targets vulnerable servers to breach information including internal data from companies or encrypts files and demands money. Their targets of attack are usually Windows servers that are poorly managed or are not patched to the latest version. Besides these, there are also attack cases that targeted email servers or MS-SQL database servers.",
"meta": {
"country": "CN",
"refs": [
"https://asec.ahnlab.com/en/56941/",
"https://asec.ahnlab.com/en/56236/",
"https://asec.ahnlab.com/en/47455/",
"https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/"
]
},
"uuid": "be4ea668-6a74-44d9-946e-e98e64a8855b",
"value": "Dalbit"
}
],
"version": 293
Expand Down

0 comments on commit 89e39dd

Please sign in to comment.