Skip to content

Commit

Permalink
Merge branch 'main' of github.com:MISP/misp-galaxy into main
Browse files Browse the repository at this point in the history
  • Loading branch information
adulau committed Nov 21, 2023
2 parents e88c316 + c8fa369 commit d6feab1
Showing 1 changed file with 128 additions and 0 deletions.
128 changes: 128 additions & 0 deletions clusters/threat-actor.json
Original file line number Diff line number Diff line change
Expand Up @@ -13236,6 +13236,134 @@
},
"uuid": "9c102b55-29ea-4d90-9b36-33ba42f65d79",
"value": "DefrayX"
},
{
"description": "PerSwaysion is a threat actor known for conducting phishing campaigns targeting high-level executives. They have been active since at least August 2019 and are believed to be based in Vietnam. PerSwaysion has recently updated their techniques, using more direct phishing methods and leveraging Microsoft 365 to steal credentials.",
"meta": {
"country": "VN",
"refs": [
"https://blog.group-ib.com/perswaysion",
"https://blog.scarletshark.com/perswaysion-threat-actor-updates-their-techniques-and-infrastructure-e9465157a653"
]
},
"uuid": "a413c605-0e0a-41ca-bae2-5623908fda3a",
"value": "PerSwaysion"
},
{
"description": "Space Pirates is a cybercrime group that has been active since at least 2017. They primarily target Russian companies and have been observed using various malware, including Deed RAT and ShadowPad. The group uses a combination of publicly available tools and their own protocols to communicate with their command-and-control servers.",
"meta": {
"country": "CN",
"refs": [
"http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats",
"https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/",
"https://blog.polyswarm.io/space-pirates-target-russian-aerospace"
],
"synonyms": [
"Space Pirates"
]
},
"uuid": "ee306b4d-1b2b-4872-a8f1-d07e7fbab2f0",
"value": "Webworm"
},
{
"description": "In March 2022, a hacking group calling themselves N4ughtySecTU claimed to have breached TransUnion’s systems and threatened to leak four terabytes of data if the credit bureau didn’t pay a $15-million (R242-million) ransom.",
"meta": {
"country": "BR",
"refs": [
"https://mybroadband.co.za/news/security/438982-how-bank-customers-can-protect-themselves-after-hackers-leak-transunion-data.html",
"https://cisoseries.com/cyber-security-headlines-march-21-2022/",
"https://mybroadband.co.za/news/security/443090-cybercriminals-love-south-africa-study.html"
]
},
"uuid": "43236d8e-27ee-40f1-ad15-a2ad23738a76",
"value": "N4ughtysecTU"
},
{
"description": "Moshen Dragon is a Chinese-aligned cyberespionage threat actor operating in Central Asia. They have been observed deploying multiple malware triads and utilizing DLL search order hijacking to sideload ShadowPad and PlugX variants. The threat actor also employs various tools, including an LSA notification package and a passive backdoor known as GUNTERS. Their activities involve targeting the telecommunication sector and leveraging Impacket for lateral movement and data exfiltration.",
"meta": {
"country": "CN",
"refs": [
"https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/"
]
},
"uuid": "41243ff2-e4f1-4605-9259-ab494c1c8c04",
"value": "Moshen Dragon"
},
{
"description": "One of their notable tools is a custom backdoor called SockDetour, which operates filelessly and socketlessly on compromised Windows servers. The group's activities have been linked to the exploitation of vulnerabilities in Zoho ManageEngine ADSelfService Plus and ServiceDesk Plus.",
"meta": {
"country": "CN",
"refs": [
"https://unit42.paloaltonetworks.com/sockdetour/",
"https://blog.fox-it.com/2021/11/08/ta505-exploits-solarwinds-serv-u-vulnerability-cve-2021-35211-for-initial-access/",
"https://www.microsoft.com/en-us/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/"
],
"synonyms": [
"DEV-0322"
]
},
"uuid": "aca6b3d2-1c3b-4674-9de8-975e35723bcf",
"value": "TiltedTemple"
},
{
"description": "OldGremlin is a Russian-speaking ransomware group that has been active for several years. They primarily target organizations in Russia, including banks, logistics, industrial, insurance, retail, and IT companies. OldGremlin is known for using phishing emails as an initial infection vector and has developed custom malware for both Windows and Linux systems. They have conducted multiple malicious email campaigns and demand large ransoms from their victims, with some reaching millions of dollars.",
"meta": {
"country": "RU",
"refs": [
"https://www.rewterz.com/rewterz-news/rewterz-threat-alert-new-ransomware-actor-oldgremlin-hits-multiple-organizations",
"https://www.group-ib.com/blog/oldgremlin-comeback/",
"https://www.group-ib.com/media-center/press-releases/oldgremlin/"
]
},
"uuid": "ad8b73df-c526-4a32-b52f-c7c3c4c058d2",
"value": "OldGremlin"
},
{
"description": "Storm Cloud is a Chinese espionage threat actor known for targeting organizations across Asia, particularly Tibetan organizations and individuals. They use a variety of malware families, including GIMMICK and GOSLU, which are feature-rich and multi-platform. Storm Cloud leverages public cloud hosting services like Google Drive for command-and-control channels, making it difficult to detect their activities.",
"meta": {
"country": "CN",
"refs": [
"https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/",
"https://www.rewterz.com/rewterz-news/rewterz-threat-alert-gimmick-malware-active-iocs"
]
},
"uuid": "3baec27f-3827-4a38-82c8-7195a18193f9",
"value": "Storm Cloud"
},
{
"description": "CostaRicto is a cyber-espionage threat actor that operates as a mercenary group, offering its services to various clients globally. They use bespoke malware tools and sophisticated techniques like VPN proxy and SSH tunnelling. While their targets are scattered across different regions, there is a concentration in South Asia.",
"meta": {
"refs": [
"https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced",
"https://www.cybersecurityintelligence.com/blog/outsourced-cyber-spying-5335.html"
]
},
"uuid": "5587f082-349b-46ab-9e6f-303d9bfd1e1b",
"value": "CostaRicto"
},
{
"description": "TA402 is an APT group that has been tracked by Proofpoint since 2020. They primarily target government entities in the Middle East and North Africa, with a focus on intelligence collection. TA402 is known for using sophisticated phishing campaigns and constantly updating their malware implants and delivery methods to evade detection. They have been observed using cloud services like Dropbox and Google Drive for hosting malicious payloads and command-and-control infrastructure.",
"meta": {
"country": "PS",
"refs": [
"https://www.proofpoint.com/us/blog/threat-insight/ta402-uses-complex-ironwind-infection-chains-target-middle-east-based-government",
"https://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionage"
]
},
"uuid": "aad291eb-08d1-4af4-9dd1-e90fe1f2d6c6",
"value": "TA402"
},
{
"description": "SilverFish is believed to be a Russian cyberespionage group that has been involved in various cyberattacks, including the use of the SolarWinds breach as an attack vector. SilverFish has been linked to the Wasted Locker ransomware and has displayed a high level of skill and organization in their cyber operations. There are also connections between SilverFish and the threat actor Evil Corp, suggesting a possible evolution or collaboration between the two groups.",
"meta": {
"refs": [
"https://www.truesec.com/hub/blog/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies",
"https://www.prodaft.com/resource/detail/silverfish-global-cyber-espionage-campaign-case-report",
"https://www.mandiant.com/resources/blog/unc2165-shifts-to-evade-sanctions"
]
},
"uuid": "55bcc595-2442-4f98-9477-7fe9b507607c",
"value": "SilverFish"
}
],
"version": 294
Expand Down

0 comments on commit d6feab1

Please sign in to comment.