diff --git a/clusters/banker.json b/clusters/banker.json
index c98c0a63..e247ae3b 100644
--- a/clusters/banker.json
+++ b/clusters/banker.json
@@ -514,7 +514,8 @@
       "meta": {
         "refs": [
           "https://www.bleepingcomputer.com/news/security/new-icedid-banking-trojan-discovered/",
-          "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/"
+          "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/",
+          "http://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html"
         ],
         "date": "Discovered in September 2017"
       },
diff --git a/clusters/tool.json b/clusters/tool.json
index 9dfc8f78..59baa59b 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -11,7 +11,7 @@
   ],
   "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
   "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
-  "version": 62,
+  "version": 63,
   "values": [
     {
       "meta": {
@@ -4126,6 +4126,19 @@
         ]
       },
       "uuid": "8c0a7e1e-3cc4-11e8-8f03-2f71e72f737b"
+    },
+    {
+      "value": "Rovnix",
+      "description": "We recently found that the malware family ROVNIX is capable of being distributed via macro downloader. This malware technique was previously seen in the DRIDEX malware, which was notable for using the same routines. DRIDEX is also known as the successor of the banking malware CRIDEX.",
+      "meta": {
+        "refs": [
+          "https://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/"
+        ],
+        "synonyms": [
+          "ROVNIX"
+        ]
+      },
+      "uuid": "a4036a28-3d94-11e8-ad9f-97ada3c6d5fb"
     }
   ]
 }