Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[threat-actors] add 9 actors #897

111 changes: 111 additions & 0 deletions clusters/threat-actor.json
Original file line number Diff line number Diff line change
Expand Up @@ -13125,6 +13125,117 @@
},
"uuid": "e284c356-4b77-4f86-a8f2-7793cbe8662b",
"value": "AppMilad"
},
{
"description": "UNC4841 is a well-resourced threat actor that has utilized a wide range of malware and purpose-built tooling to enable their global espionage operations. They have been observed selectively deploying specific malware families at high priority targets, with SKIPJACK being the most widely deployed. UNC4841 primarily targeted government and technology organizations, but they have also been observed targeting other verticals.",
"meta": {
"country": "CN",
"refs": [
"https://blog.polyswarm.io/unc4841-targeting-government-entities-with-barracuda-esg-0day-cve-2023-2868",
"https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation",
"https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally"
]
},
"uuid": "8959fbb4-95f0-485d-bba2-db9140b95386",
"value": "UNC4841"
},
{
"description": "CL-STA-0043 is a highly skilled and sophisticated threat actor, believed to be a nation-state, targeting governmental entities in the Middle East and Africa. They exploit vulnerabilities in on-premises Internet Information Services and Microsoft Exchange servers to infiltrate target networks. They engage in reconnaissance, locate vital assets, and have been observed using native Windows tools for privilege escalation.",
"meta": {
"refs": [
"https://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-june-2023/",
"https://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/"
]
},
"uuid": "5d0aee14-f18a-44da-a44d-28d950f06b9c",
"value": "CL-STA-0043"
},
{
"description": "DEV-0928 is a threat actor that has been tracked by Microsoft since September 2022. They are known for their involvement in high-volume phishing campaigns, using tools offered by DEV-1101. DEV-0928 sends phishing emails to targets and has been observed launching campaigns involving millions of emails. They also utilize evasion techniques, such as redirection to benign pages, to avoid detection.",
"meta": {
"refs": [
"http://www.microsoft.com/en-us/security/blog/2023/03/13/dev-1101-enables-high-volume-aitm-campaigns-with-open-source-phishing-kit/"
]
},
"uuid": "8345dd24-7884-48e3-b231-4791d31afe3d",
"value": "DEV-0928"
},
{
"description": "TEMP_Heretic is a threat actor that has been observed engaging in targeted spear-phishing campaigns. They exploit vulnerabilities in email platforms, such as Zimbra, to exfiltrate emails from government, military, and media organizations. They use multiple outlook.com email addresses and manually craft content for each email before sending it.",
"meta": {
"country": "CN",
"refs": [
"https://www.welivesecurity.com/en/eset-research/mass-spreading-campaign-targeting-zimbra-users/",
"https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/"
]
},
"uuid": "8dfac62e-395e-4e47-b6b6-8ab817ac25c1",
"value": "TEMP_Heretic"
},
{
"description": "WeedSec is a threat actor group that recently targeted the online learning and course management platform Moodle. They posted sample databases of Moodle on their Telegram channel, which is widely used by educational institutions and workplaces.",
"meta": {
"refs": [
"https://socradar.io/cyber-awakeness-month-takedown-of-trigona-hive-ransomware-resurges-ransomedforum-and-new-raas-qbit/"
]
},
"uuid": "000a2535-8fbf-459d-a067-d10528496a92",
"value": "WeedSec"
},
{
"description": "TA444 is a North Korea state-sponsored threat actor that primarily focuses on financially motivated operations. They have been active since at least 2017 and have recently shifted their attention to targeting cryptocurrencies. TA444 employs various infection methods and has a diverse range of malware and backdoors at their disposal. They have been attributed to stealing hundreds of millions of dollars' worth of cryptocurrency and related assets.",
"meta": {
"country": "KP",
"refs": [
"https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds",
"https://cyberscoop.com/north-korean-cryptocurrency-hackers-education-government/",
"https://www.darkreading.com/remote-workforce/north-korea-apt-swindled-1b-crypto-investors-2022"
]
},
"uuid": "5a38db83-16b3-477f-a045-66a922868eea",
"value": "TA444"
},
{
"description": "UAC-0006 is a financially motivated threat actor that has been active since at least 2013. They primarily target Ukrainian organizations, particularly accountants, with phishing emails containing the SmokeLoader malware. Their goal is to steal credentials and execute unauthorized fund transfers, posing a significant risk to financial systems.",
"meta": {
"refs": [
"https://socprime.com/blog/smokeloader-detection-uac-0006-group-launches-a-new-phishing-campaign-against-ukraine/",
"https://socprime.com/blog/smokeloader-malware-detection-uac-0006-hackers-launch-a-wave-of-phishing-attacks-against-ukraine-targeting-accountants/",
"https://socprime.com/blog/detecting-smokeloader-campaign-uac-0006-keep-targeting-ukrainian-financial-institutions-in-a-series-of-phishing-attacks/",
"https://socprime.com/blog/latest-threats/detect-smokeloader-malware-uac-0006-strikes-again-to-target-ukraine-in-a-series-of-phishing-attacks/",
"https://socprime.com/blog/smokeloader-malware-detection-uac-0006-group-reemerges-to-launch-phishing-attacks-against-ukraine-using-financial-subject-lures/",
"https://cert.gov.ua/article/4555802",
"https://cert.gov.ua/article/6123309"
]
},
"uuid": "013f56ea-a441-483f-812c-c384c790e474",
"value": "UAC-0006"
},
{
"description": "NewsPenguin is threat actor that has been targeting organizations in Pakistan. They use a complex payload delivery mechanism and exploit the upcoming Pakistan International Maritime Expo & Conference as a lure to trick their victims. The group has been linked to a phishing campaign that leverages spear-phishing emails and weaponized documents to deliver an advanced espionage tool.",
"meta": {
"refs": [
"https://www.rewterz.com/rewterz-news/rewterz-threat-alert-newspenguin-threat-actors-targeting-pakistani-entities-with-malicious-campaign-active-iocs",
"https://blogs.blackberry.com/en/2023/02/newspenguin-a-previously-unknown-threat-actor-targets-pakistan-with-advanced-espionage-tool"
]
},
"uuid": "4c4a8cb7-b4c4-4637-8e41-dfe19a6b40c7",
"value": "NewsPenguin"
},
{
"description": "DefrayX is a threat actor group known for their RansomExx ransomware operations. They primarily target Linux operating systems, but also release versions for Windows. The group has been active since 2018 and has targeted various sectors, including healthcare and manufacturing. They have also developed other malware strains such as PyXie RAT, Vatet loader, and Defray ransomware.",
"meta": {
"refs": [
"https://securityaffairs.co/wordpress/138933/malware/ransomexx-ransomware-rust-language.html",
"https://research.checkpoint.com/2022/28th-november-threat-intelligence-report/",
"https://securityintelligence.com/posts/ransomexx-upgrades-rust/"
],
"synonyms": [
"Hive0091"
]
},
"uuid": "9c102b55-29ea-4d90-9b36-33ba42f65d79",
"value": "DefrayX"
}
],
"version": 294
Expand Down
Loading