MISP · adulau · Dec 6, 2023 · Dec 5, 2023
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
@@ -11306,7 +11306,7 @@
     },
     {
       "meta": {
-        "references": [
+        "refs": [
           "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618",
           "https://vixra.org/abs/1902.0257",
           "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/",
@@ -11340,7 +11340,7 @@
       "description": "One of the most active Qbot malware affiliates, Proofpoint has tracked the large cybercrime threat actor TA570 since 2018.",
       "meta": {
         "country": "RU",
-        "references": [
+        "refs": [
           "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware",
           "https://therecord.media/hackers-using-follina-windows-zero-day-to-spread-qbot-malware/",
           "https://isc.sans.edu/diary/TA570+Qakbot+Qbot+tries+CVE202230190+Follina+exploit+msmsdt/28728",
@@ -11372,7 +11372,7 @@
     {
       "description": "TA575 is a Dridex affiliate tracked by Proofpoint since late 2020. This group distributes malware such as Dridex, Qakbot, and WastedLocker via malicious URLs, Office attachments, and password-protected files. On average, TA575 distributes almost 4,000 messages per campaign impacting hundreds of organizations.",
       "meta": {
-        "references": [
+        "refs": [
           "https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware",
           "https://www.proofpoint.com/us/blog/threat-insight/ta575-uses-squid-game-lures-distribute-dridex-malware",
           "https://www.zdnet.com/article/ta575-criminal-group-using-squid-game-lures-for-dridex-malware/",
@@ -11430,7 +11430,7 @@
       "description": "TA577 is a prolific cybercrime threat actor tracked by Proofpoint since mid-2020. This actor conducts broad targeting across various industries and geographies, and Proofpoint has observed TA577 deliver payloads including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike.",
       "meta": {
         "country": "RU",
-        "references": [
+        "refs": [
           "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware",
           "https://thehackernews.com/2021/06/ransomware-attackers-partnering-with.html",
           "https://www.itpro.com/security/ransomware/359919/ransomware-criminals-look-to-other-hackers-to-provide-them-with-network",
@@ -11498,7 +11498,7 @@
       "description": "TA2536, which has been active since at least 2015, is likely Nigerian based on its unique linguistic style, tactics and tools. It uses keyloggers such as HawkEye and distinctive stylometric features in typo-squatted domains that resemble legitimate names and the use of recurring names and substrings in email addresses.",
       "meta": {
         "country": "NG",
-        "references": [
+        "refs": [
           "https://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1"
         ]
       },
@@ -11558,7 +11558,7 @@
           "European Union"
         ],
         "country": "CN",
-        "references": [
+        "refs": [
           "https://twitter.com/MsftSecIntel/status/1625181255754039318"
         ]
       },
@@ -11586,7 +11586,7 @@
           "NGOs"
         ],
         "country": "KR",
-        "references": [
+        "refs": [
           "https://www.proofpoint.com/us/blog/threat-insight/triple-threat-north-korea-aligned-ta406-scams-spies-and-steals"
         ]
       },
@@ -11623,7 +11623,7 @@
           "Pharmaceuticals"
         ],
         "country": "IR",
-        "references": [
+        "refs": [
           "https://www.mandiant.com/resources/blog/apt42-charms-cons-compromises"
         ],
         "synonyms": [
@@ -11653,7 +11653,7 @@
       "description": "TA453 has employed the use of compromised accounts, malware, and confrontational lures to go after targets with a range of backgrounds from medical researchers to realtors to travel agencies.",
       "meta": {
         "country": "IR",
-        "references": [
+        "refs": [
           "https://www.proofpoint.com/us/blog/threat-insight/ta453-refuses-be-bound-expectations",
           "https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential"
         ]
@@ -11699,7 +11699,7 @@
           "Aviation",
           "Energy"
         ],
-        "references": [
+        "refs": [
           "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/"
         ]
       },
@@ -11732,7 +11732,7 @@
           "United States"
         ],
         "cfr-type-of-incident": "Extortion",
-        "references": [
+        "refs": [
           "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-152a",
           "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group",
           "https://www.accenture.com/us-en/blogs/cyber-defense/karakurt-threat-mitigation"
@@ -11771,7 +11771,7 @@
       "description": "Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran.",
       "meta": {
         "country": "IR",
-        "references": [
+        "refs": [
           "https://www.microsoft.com/en-us/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/"
         ],
         "synonyms": [
@@ -11795,7 +11795,7 @@
       "description": "PROPHET SPIDER is an eCrime actor, active since at least May 2017, that primarily gains access to victims by compromising vulnerable web servers, which commonly involves leveraging a variety of publicly disclosed vulnerabilities. The adversary has likely functioned as an access broker — handing off access to a third party to deploy ransomware — in multiple instances.",
       "meta": {
         "country": "",
-        "references": [
+        "refs": [
           "https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/",
           "https://www.crowdstrike.com/blog/prophet-spider-exploits-citrix-sharefile/",
           "https://www.secureworks.com/research/gold-melody-profile-of-an-initial-access-broker",
@@ -11829,7 +11829,7 @@
       "description": "According to Proofpoint, TA866 is a newly identified threat actor that distributes malware via email utilizing both commodity and custom tools. While most of the activity observed occurred since October 2022, Proofpoint researchers identified multiple activity clusters since 2019 that overlap with TA866 activity. Most of the activity recently observed by Proofpoint suggests recent campaigns are financially motivated, however assessment of historic related activities suggests a possible, additional espionage objective.",
       "meta": {
         "motive": "mainly financially motivated, additional espionage objective.",
-        "references": [
+        "refs": [
           "https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me"
         ]
       },
@@ -11883,7 +11883,7 @@
         "cfr-type-of-incident": [
           "Denial of service"
         ],
-        "references": [
+        "refs": [
           "https://files.truesec.com/hubfs/Reports/Anonymous%20Sudan%20-%20Publish%201.2%20-%20a%20Truesec%20Report.pdf",
           "https://www.truesec.com/hub/blog/what-is-anonymous-sudan"
         ]
@@ -11906,7 +11906,7 @@
         ],
         "country": "CN",
         "motive": "state-sponsored espionage and financially motivated",
-        "references": [
+        "refs": [
           "https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf",
           "https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer"
         ]
@@ -12084,7 +12084,7 @@
     {
       "description": "The threat actor that Microsoft tracks as Storm-0324 is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors. These handoffs frequently lead to ransomware deployment.",
       "meta": {
-        "references": [
+        "refs": [
           "https://www.microsoft.com/en-us/security/blog/2023/09/12/malware-distributor-storm-0324-facilitates-ransomware-access/",
           "https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded"
         ],
@@ -12111,7 +12111,7 @@
       "meta": {
         "country": "NG",
         "motive": "Cybercrime",
-        "references": [
+        "refs": [
           "https://cofense.com/blog/gift-card-fraud-ecosystem-shifts-what-paxfuls-closing-means-for-business-email-compromise/",
           "https://static.fortra.com/agari/pdfs/guide/ag-scattered-canary-gd.pdf",
           "https://www.agari.com/blog/covid-19-unemployment-fraud-cares-act?_gl=1%2Ayzg6ns%2A_ga%2AMTkyMzIyOTI4MC4xNjk2MjUyMDA2%2A_ga_NHMHGJWX49%2AMTY5NjI1MjAwNS4xLjAuMTY5NjI1MjAwNS42MC4wLjA.&utm_source=press-release&utm_medium=prnewswire&utm_campaign=scattered20"
@@ -12123,7 +12123,7 @@
     {
       "description": "Scattered Spider, a highly active hacking group, has made headlines by targeting more than 130 organizations, with the number of victims steadily increasing.",
       "meta": {
-        "references": [
+        "refs": [
           "https://www.cybersecurity-insiders.com/scattered-spider-managed-mgm-resort-network-outage-brings-8m-loss-daily/",
           "https://www.loginradius.com/blog/identity/oktapus-phishing-targets-okta-identity-credentials/"
         ],
@@ -12170,7 +12170,7 @@
           "Ukraine",
           "European Union"
         ],
-        "references": [
+        "refs": [
           "https://www.trendmicro.com/en_us/research/23/j/void-rabisu-targets-female-leaders-with-new-romcom-variant.html",
           "https://www.trendmicro.com/en_za/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html"
         ],
@@ -12201,7 +12201,7 @@
       "description": "In early 2023, the Check Point Incident Response Team (CPIRT) team investigated a malware incident at a European healthcare institution involving a set of tools mentioned in the Avast report in late 2022. The incident was attributed to Camaro Dragon, a Chinese-based espionage threat actor whose activities overlap with activities tracked by different researchers as Mustang Panda and LuminousMoth, whose focus is primarily on Southeast Asian countries and their close peers.",
       "meta": {
         "country": "CN",
-        "references": [
+        "refs": [
           "https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/",
           "https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/"
         ]
@@ -12222,7 +12222,7 @@
         ],
         "cfr-type-of-incident": "Espionage",
         "country": "CN",
-        "references": [
+        "refs": [
           "https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/",
           "https://www.wiz.io/blog/storm-0558-compromised-microsoft-key-enables-authentication-of-countless-micr",
           "https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/"