From 247dd8652338797ab358859b1c7a6aa16bb9d851 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 15 Nov 2023 08:19:01 -0800 Subject: [PATCH 1/2] [threat-actors] Add Bohrium --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7343e5da..44b90ada 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12976,6 +12976,17 @@ }, "uuid": "c8782e46-447c-4c6e-90c0-82f3bf49d64b", "value": "Prolific Puma" + }, + { + "description": "Bohrium is an Iranian threat actor that has been involved in spear-phishing operations targeting organizations in the US, Middle East, and India. They often create fake social media profiles, particularly posing as recruiters, to trick victims into running malware on their computers. Microsoft's Digital Crimes Unit has taken legal action and seized 41 domains used by Bohrium to disrupt their activities. The group has shown a particular interest in sectors such as technology, transportation, government, and education.", + "meta": { + "country": "IR", + "refs": [ + "https://twitter.com/CyberAmyHB/status/1532398956918890500" + ] + }, + "uuid": "111efc97-6a93-487b-8cb3-1e890ac51066", + "value": "Bohrium" } ], "version": 294 From 3209c45b42ae7f14fbbc682378b5c19d3661472c Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 15 Nov 2023 08:19:01 -0800 Subject: [PATCH 2/2] [threat-actors] Add KAX17 --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 44b90ada..c3676ffb 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12987,6 +12987,19 @@ }, "uuid": "111efc97-6a93-487b-8cb3-1e890ac51066", "value": "Bohrium" + }, + { + "description": "KAX17 is a sophisticated threat actor that has been active since at least 2017. They have operated hundreds of malicious servers within the Tor network, primarily as entry and middle points. Their main objective appears to be collecting information on Tor users and mapping their routes within the network. Despite efforts to remove their servers, KAX17 has shown resilience and continues to operate.", + "meta": { + "refs": [ + "https://www.malwarebytes.com/blog/news/2021/12/was-threat-actor-kax17-de-anonymizing-the-tor-network/amp", + "https://therecord.media/a-mysterious-threat-actor-is-running-hundreds-of-malicious-tor-relays", + "https://darknetlive.com/post/who-is-responsible-for-running-hundreds-of-malicious-tor-relays/", + "https://nusenu.medium.com/is-kax17-performing-de-anonymization-attacks-against-tor-users-42e566defce8" + ] + }, + "uuid": "615311f0-58d4-4d1d-ac86-6ba86d119317", + "value": "KAX17" } ], "version": 294