Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chg: [threat-actor] updated Tomiris references and actor origin country #1046

Merged
merged 3 commits into from
Jan 26, 2025
Merged

chg: [threat-actor] updated Tomiris references and actor origin country #1046

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
aa2d5fc
chg: [threat-actor] updated Tomiris references and actor origin country
r0ny123 Dec 4, 2024
2a02250
chg: [threat-actor] jq all the things
r0ny123 Jan 25, 2025
2c2bfa9
Merge branch 'MISP:main' into patch-2
r0ny123 Jan 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 10 additions & 3 deletions clusters/threat-actor.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15208,14 +15208,21 @@
"value": "Karkadann"
},
{
"description": "Tomiris is a threat actor that has been active since at least 2019. They primarily target government and diplomatic entities in the Commonwealth of Independent States region, with occasional victims in other regions being foreign representations of CIS countries. Tomiris uses a wide variety of malware implants, including downloaders, backdoors, and file stealers, developed in different programming languages. They employ various attack vectors such as spear-phishing, DNS hijacking, and exploitation of vulnerabilities. There are potential ties between Tomiris and Turla, but they are considered separate threat actors with distinct targeting and tradecraft by Kaspersky.",
"description": "Storm-0473 (Tomiris) is a threat actor that has been active since at least 2019. They primarily target government and diplomatic entities in the Commonwealth of Independent States region, with occasional victims in other regions being foreign representations of CIS countries. Tomiris uses a wide variety of malware implants, including downloaders, backdoors, and file stealers, developed in different programming languages. They employ various attack vectors such as spear-phishing, DNS hijacking, and exploitation of vulnerabilities. There are potential ties between Tomiris and Turla, but they are considered separate threat actors with distinct targeting and tradecraft by Kaspersky.",
"meta": {
"country": "KZ",
"refs": [
"https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/"
"https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/",
"https://securelist.com/apt-trends-report-q1-2022/106351/",
"https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/",
"https://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage/"
],
"synonyms": [
"UNC2849"
]
},
"uuid": "2f854548-1af0-4f55-acab-4f85ce9f162c",
"value": "Tomiris"
"value": "Storm-0473"
},
{
"description": "ShaggyPanther is a threat actor that primarily targets government entities in Taiwan and Malaysia. They have been active since 2008 and utilize hidden encrypted payloads in registry keys. Their activities have been detected in various locations, including Indonesia and Syria.",
Expand Down
Loading