Skip to content

MISP Galaxy Update 2026031300 release: 50+ New Threat Actors, MITRE v18.1, UAVs improvement and BITNS Framework

Latest
Latest

Choose a tag to compare

View all tags
@adulau adulau released this 13 Mar 09:21
· 10 commits to main since this release
2026031300
This tag was signed with the committer’s verified signature.
adulau Alexandre Dulaunoy
GPG key ID: 09E2CD4944E6CBCD
Verified
Learn about vigilant mode.
18ac33c
This commit was signed with the committer’s verified signature.
adulau Alexandre Dulaunoy
GPG key ID: 09E2CD4944E6CBCD
Verified
Learn about vigilant mode.

Release 2026031300 (2026-03-13)

This release brings a substantial expansion to the MISP Galaxy, including the integration of MITRE ATT&CK v18.1, the introduction of specialized galaxies for UAVs, Stalkerware and Space Cyber Operations (SCOR), and an extensive list of new threat actors and aliases.

🌟 Highlights

  • MITRE ATT&CK v18.1 Update: Fully bumped to the latest version, including support for new Analytics and Detection Strategies.
  • New Frameworks: Added the "Busy is the New Stupid" (BITNS) framework and the SCOR (Space Cyber Operations Research) SPARTA galaxies.
  • Stalkerware Galaxy: A dedicated new galaxy for tracking stalkerware families.
  • Ransomware Sync: Continuous alignment with ransomlook.io for up-to-date ransomware tracking.

🚀 New Features & Galaxies

Frameworks & Tools

  • [galaxy] Added the Busy is the New Stupid (BITNS) framework (thanks to Ross Young of CISTO Tradecraft).
  • [SCOR] Introduced Space Cyber Operations Research galaxies:
    • SPARTA mitigations, tactics, and techniques.
    • Space-SHIELD tactics and techniques.
  • [terrorists-groups] Added Canadian listed terrorist entities via a new XML generation tool.
  • [stalkerware] Brand new galaxy created to categorize stalkerware.

Threat Intelligence Expansion

  • [threat-actors] Massive update adding dozens of actors, including:
    • VoidLink (UAT-9921 - China Nexus)
    • Mandiant UNC groups (UNC6040, UNC6384, UNC5342, etc.)
    • The Wizards, DarkPink, Curly COMrades, and many more.
  • [UAV/Drones] Significant updates to the drones galaxy, including Autel, DJI, and Sky Tech Irbis fleets.
  • [tools] Added ResidenBat APK malware and Coruna Exploit kit.

🛠️ Changes & Improvements

  • [mitre] Added tactics to ATT&CK patterns and refined meta handling for data sources.
  • [ransomware] Multiple updates to stay aligned with the latest data from ransomlook.io.
  • [malpedia] Cleaned up and updated Malpedia MISP output.
  • [sigma] Sigma rules and tools updated to the latest versions.
  • [data-consistency] Normalized country names (e.g., "US" to "United States") and improved JSON schema alignment.
  • [workflow] Added support for Python 3.12 and retired older versions.

🩹 Fixes

  • [uuid] Regenerated unique UUIDv4 per item in SCOR galaxies and clusters to ensure uniqueness.
  • [json] Fixed character escaping in ukhsa-culture-collections.
  • [schema] Aligned SCOR and other galaxy JSON files with the standard MISP schema (removing extra meta).
  • [sorting] Fixed various sorting and formatting issues within the JSON clusters.

🤝 Contributors

A huge thank you to all the contributors who made this release possible:
Alexandre Dulaunoy, iglocska, fukusuket, Mathieu4141, Paul Jung (Thanat0s), Nassima, Delta-Sierra, D2 Team CORP, Jash Dalvi, David Cruciani, and many others!

Assets 2
Loading