diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c3676ffb..afc5ec09 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13000,6 +13000,131 @@ }, "uuid": "615311f0-58d4-4d1d-ac86-6ba86d119317", "value": "KAX17" + }, + { + "description": "MirrorFace is a Chinese-speaking advanced persistent threat group that has been targeting high-value organizations in Japan, including media, government, diplomatic, and political entities. They have been conducting spear-phishing campaigns, utilizing malware such as LODEINFO and MirrorStealer to steal credentials and exfiltrate sensitive data. While there is speculation about their connection to APT10, ESET currently track them as a separate entity.", + "meta": { + "country": "CN", + "refs": [ + "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", + "https://web-assets.esetstatic.com/wls/2023/01/eset_apt_activity_report_t32022.pdf", + "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/" + ] + }, + "uuid": "e992d874-604b-4a09-9c6c-0319d5be652a", + "value": "MirrorFace" + }, + { + "description": "VulzSec, also known as VulzSecTeam, is a hacktivist group that has been involved in various cyber-attacks. They have targeted government websites in retaliation for issues such as police brutality and the treatment of Indian Muslims. The group has been involved in campaigns like OpIndia2.0, where they planned to launch DDoS attacks on Indian government websites.", + "meta": { + "country": "ID", + "refs": [ + "https://blog.cyble.com/2023/04/28/indian-ideology-targeted-by-hacktivists-reprisal-hacktivism-draws-more-attacks/", + "https://www.enigmasoftware.com/indonesian-sudanese-cyber-threats-continue-grow-size-scope/" + ], + "synonyms": [ + "VulzSec" + ] + }, + "uuid": "fcb18ca2-ea45-4f5c-a827-ed8b6b697a08", + "value": "VulzSecTeam" + }, + { + "description": "Chernovite is a highly capable and sophisticated threat actor group that has developed a modular ICS malware framework called PIPEDREAM. They are known for targeting industrial control systems and operational technology environments, with the ability to disrupt, degrade, and potentially destroy physical processes. Chernovite has demonstrated a deep understanding of ICS protocols and intrusion techniques, making them a significant threat to critical infrastructure sectors.", + "meta": { + "country": "RU", + "refs": [ + "https://www.dragos.com/blog/pipedream-mousehole-opcua-module/", + "https://www.dragos.com/blog/industry-news/chernovite-pipedream-malware-targeting-industrial-control-systems/", + "https://www.dragos.com/threats/the-2022-ics-ot-vulnerability-briefing-recap/", + "https://www.dragos.com/blog/responding-to-chernovites-pipedream-with-dragos-global-services/" + ] + }, + "uuid": "2ce00149-9a25-4dea-8dd5-59bdb68d11a1", + "value": "Chernovite" + }, + { + "description": "MurenShark is an advanced persistent threat group that operates primarily in the Middle East, with a focus on targeting Turkey. They have shown interest in military projects, as well as research institutes and universities. This group is highly skilled in counter-analysis and reverse traceability, using sophisticated tactics to avoid detection. They utilize compromised websites as file servers and command and control servers, and have been known to use attack tools like NiceRender for phishing purposes.", + "meta": { + "refs": [ + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-murenshark-apt-threat-actors-aka-actor210426-active-iocs" + ], + "synonyms": [ + "Actor210426" + ] + }, + "uuid": "e5c78742-bf60-4da8-b038-d548ae3f4ecb", + "value": "MurenShark" + }, + { + "description": "DriftingCloud is a persistent threat actor known for targeting various industries and locations. They are skilled at developing or acquiring zero-day exploits to gain unauthorized access to target networks. Compromising gateway devices is a common tactic used by DriftingCloud, making network monitoring solutions crucial for detecting their attacks.", + "meta": { + "country": "CN", + "refs": [ + "https://socradar.io/driftingcloud-apt-group-exploits-zero-day-in-sophos-firewall/", + "https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/", + "https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html" + ] + }, + "uuid": "6f6b187b-971b-4df9-a7ef-9b3fd7e092f7", + "value": "DriftingCloud" + }, + { + "description": "UNC4191 is a China-linked threat actor that has been involved in cyber espionage campaigns targeting public and private sectors primarily in Southeast Asia. They have been known to use USB devices as an initial infection vector and have been observed deploying various malware families on infected systems. UNC4191's operations have also extended to the US, Europe, and the Asia Pacific Japan region, with a particular focus on the Philippines.", + "meta": { + "country": "CN", + "refs": [ + "https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia", + "https://therecord.media/espionage-group-using-usb-devices-to-hack-targets-in-southeast-asia/" + ] + }, + "uuid": "df697450-57e0-496b-982c-a167ed41f023", + "value": "UNC4191" + }, + { + "description": "DragonSpark is a threat actor that has been conducting attacks primarily targeting organizations in East Asia. They utilize the open-source tool SparkRAT, which is a multi-platform and frequently updated remote access Trojan. The threat actor is believed to be Chinese-speaking based on their use of Chinese language support and compromised infrastructure located in China and Taiwan. They employ various techniques to evade detection, including Golang source code interpretation and the use of the China Chopper webshell.", + "meta": { + "country": "CN", + "refs": [ + "https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/" + ] + }, + "uuid": "a219a78b-7b91-41b1-bf14-91e31e0bb9da", + "value": "DragonSpark" + }, + { + "description": "The CYFIRMA research team has identified a new up-and-coming European threat actor group known as FusionCore. Running Malware-as-a-service, along with the hacker-for- hire operation, they have a wide variety of tools and services that are being offered on their website, making it a one-stop-shop for threat actors looking to purchase cost- effective yet customizable malware. The operators have started a ransomware affiliate program that equips the attackers with the ransomware and affiliate software to manage victims. FusionCore typically provides sellers with a detailed set of instructions for any service or product being sold, enabling individuals with minimal experience to carry out complex attacks.", + "meta": { + "refs": [ + "https://www.cyfirma.com/?post_type=out-of-band&p=17003" + ] + }, + "uuid": "ab376039-4ede-4dfc-a45b-c80d9d994657", + "value": "FusionCore" + }, + { + "description": "Earth Kitsune is an advanced persistent threat actor that has been active since at least 2019. They primarily target individuals interested in North Korea and use various tactics, such as compromising websites and employing social engineering, to distribute self-developed backdoors. Earth Kitsune demonstrates technical proficiency and continuously evolves their tools, tactics, and procedures. They have been associated with malware such as WhiskerSpy and SLUB.", + "meta": { + "refs": [ + "https://www.trendmicro.com/en_us/research/23/b/earth-kitsune-delivers-new-whiskerspy-backdoor.html", + "https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html", + "https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html", + "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-earth-kitsune-tracking-slub-s-current-operations/" + ] + }, + "uuid": "a9f29636-26e4-42f0-95d1-7a49dd6f0a79", + "value": "Earth Kitsune" + }, + { + "description": "AppMilad is an Iranian hacking group that has been identified as the source of a spyware campaign called RatMilad. This spyware is designed to silently infiltrate victims' devices and gather personal and corporate information, including private communications and photos. The group has been distributing the spyware through fake apps and targeting primarily Middle Eastern enterprises.", + "meta": { + "country": "IR", + "refs": [ + "https://zimpstage.wpengine.com/blog/we-smell-a-ratmilad-mobile-spyware/" + ] + }, + "uuid": "e284c356-4b77-4f86-a8f2-7793cbe8662b", + "value": "AppMilad" } ], "version": 294