Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[threat actors] Add 10 threat actors #886

132 changes: 132 additions & 0 deletions clusters/threat-actor.json
Original file line number Diff line number Diff line change
Expand Up @@ -12105,6 +12105,138 @@
},
"uuid": "b01f7ed8-db75-45c7-ac7b-60aa4a1f7f4b",
"value": "Keksec"
},
{
"description": "The threat group behind EnemyBot, Keksec, is well-resourced and has the ability to update and add new capabilities to its arsenal of malware on a daily basis (see below for more detail on Keksec)",
"meta": {
"refs": [
"https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet",
"https://www.cybersecurity-insiders.com/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers-and-android-devices/?utm_source=rss&utm_medium=rss&utm_campaign=rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers-and-android-devices",
"https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/",
"https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/"
]
},
"uuid": "39ef9941-4f9c-4807-ab10-88e863ce7953",
"value": "Keksec"
},
{
"description": "Xiaoqiying is a primarily Chinese-speaking threat group that is most well known for conducting website defacement and data exfiltration attacks on more than a dozen South Korean research and academic institutions in late-January 2023. Research from Recorded Futures Insikt Group has found that the groups affiliated threat actors have signaled a new round of cyberattacks against organizations in Japan and Taiwan. Although it shows no clear ties to the Chinese government, Xiaoqiying is staunchly pro-China and vows to target NATO countries as well as any country or region that is deemed hostile to China.",
"meta": {
"aliases": [
"Genesis Day",
"Teng Snake"
],
"country": "CN",
"refs": [
"https://www.recordedfuture.com/xiaoqiying-genesis-day-threat-actor-group-targets-south-korea-taiwan",
"https://medium.com/s2wblog/%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a",
"https://therecord.media/samsung-investigating-claims-of-hack-on-south-korea-systems-internal-employee-platform/"
]
},
"uuid": "0ee7be4f-389f-4083-a1e4-4c39dc1ae105",
"value": "Xiaoqiying"
},
{
"description": "Winter Vivern is a cyberespionage group first revealed by DomainTools in 2021. It is thought to have been active since at least 2020 and it targets governments in Europe and Central Asia. To compromise its targets, the group uses malicious documents, phishing websites, and a custom PowerShell backdoor.",
"meta": {
"aliases": [
"UAC-0114",
"TA473"
],
"refs": [
"https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/",
"https://www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs",
"https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/",
"https://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability",
"https://socprime.com/blog/uac-0114-group-aka-winter-vivern-attack-detection-hackers-launch-malicious-phishing-campaigns-targeting-government-entities-of-ukraine-and-poland/"
]
},
"uuid": "b7497d28-02de-4722-8b97-1fc53e1d1b68",
"value": "Winter Vivern"
},
{
"description": "UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns. UNC3886 has been observed targeting firewall and virtualization technologies which lack EDR support. Their ability to manipulate firewall firmware and exploit a zero-day indicates they have curated a deeper-level of understanding of such technologies. UNC3886 has modified publicly available malware, specifically targeting *nix operating systems.",
"meta": {
"country": "CN",
"refs": [
"https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem",
"https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence",
"https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass",
"https://www.mandiant.com/resources/blog/vmware-detection-containment-hardening"
]
},
"uuid": "8c08dbe7-3ed0-4d7d-b315-22d8774a5bd9",
"value": "UNC3886"
},
{
"description": "Earth Longzhi is a subgroup of APT41 targeting organizations based in Taiwan, Thailand, the Philippines, and Fiji, and using “stack rumbling” via Image File Execution Options (IFEO), a new denial-of-service (DoS) technique to disable security software.",
"meta": {
"aliases": [
"SnakeCharmer"
],
"refs": [
"https://www.picussecurity.com/resource/blog/cyber-threat-intelligence-report-may-2023",
"https://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html",
"https://ics-cert.kaspersky.com/publications/reports/2023/03/24/apt-attacks-on-industrial-organizations-in-h2-2022/",
"https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html"
]
},
"uuid": "b21dbf83-3459-44f4-b91b-6157379e430a",
"value": "Earth Longzhi"
},
{
"description": "Redfly hacked a national electricity grid organization in Asia and maintained persistent access to the network for about six months. Researchers discovered evidence for this attack between 28 February and 3 August 2023 after noticing suspicious malware activity within the organization’s network.",
"meta": {
"refs": [
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/critical-infrastructure-attacks",
"https://www.rewterz.com/rewterz-news/rewterz-threat-alert-power-suppliers-network-infiltrated-for-6-months-by-redfly-hackers-active-iocs/"
]
},
"uuid": "4f1c43a4-3788-4035-a99c-e510f89edd0f",
"value": "Redfly"
},
{
"description": "TetrisPhantom relies on compromising of certain type of secure USB drives that provide hardware encryption and is commonly used by government organizations. While investigating this threat, experts identified an entire spying campaign that uses a range of malicious modules to execute commands, collect files and information from compromised computers and transfer them to other machines also using secure USB drives.",
"meta": {
"refs": [
"https://usa.kaspersky.com/blog/sas-2023-research/29254/",
"https://securelist.com/apt-trends-report-q3-2023/110752/"
]
},
"uuid": "5368c0a2-eb79-420c-b808-85ae719efccd",
"value": "TetrisPhantom"
},
{
"description": "Trend Micro found that Earth Estries relies heavily on DLL sideloading to load various tools within its arsenal. Aside from the backdoors previously mentioned, this intrusion set also utilizes commonly used remote control tools like Cobalt Strike, PlugX, or Meterpreter stagers interchangeably in various attack stages. These tools come as encrypted payloads loaded by custom loader DLLs.",
"meta": {
"refs": [
"https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html",
"https://www.sentinelone.com/labs/cyber-soft-power-chinas-continental-takeover/"
]
},
"uuid": "1f7f4a51-c4a8-4365-ade3-83b222e7cb67",
"value": "Earth Estries"
},
{
"description": "GoldenJackal activity is characterized by the use of compromised WordPress websites as a method to host C2-related logic. Kaspersky believes the attackers upload a malicious PHP file that is used as a relay to forward web requests to another backbone C2 server. They developed a collection of .NET malware tools known as Jackal.",
"meta": {
"refs": [
"https://securelist.com/it-threat-evolution-q2-2023/110355/",
"https://securelist.com/goldenjackal-apt-group/109677/"
]
},
"uuid": "8e93e09a-734d-4b16-933f-9feb58f6ce7d",
"value": "GoldenJackal"
},
{
"description": "Lancefly targets government, aviation, and telecom organizations in South and Southeast Asia. They use a custom backdoor named Merdoor, developed since 2018, and employ various tactics to gain access, including phishing emails, SSH credential brute-forcing, and exploiting server vulnerabilities. Additionally, Lancefly has been observed using a newer version of the ZXShell rootkit and tools like PlugX and ShadowPad RAT, which are typically associated with Chinese-speaking APT groups.",
"meta": {
"refs": [
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor"
]
},
"uuid": "2ceeab57-85e3-468b-a1b8-c035c496dcdc",
"value": "Lancefly"
}
],
"version": 288
Expand Down
Loading