diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 691ed44e..0d8182aa 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -2701,6 +2701,16 @@
         ]
       },
       "uuid": "4af45fea-72d3-11e8-846c-d37699506c8d"
+    },
+    {
+      "value": "Thrip",
+      "description": "Symntec have been monitoring Thrip since 2013 when they uncovered a spying campaign being orchestrated from systems based in China. Since their initial discovery, the group has changed its tactics and broadened the range of tools it used. Initially, it relied heavily on custom malware, but in this most recent wave of attacks, which began in 2017, the group has switched to a mixture of custom malware and living off the land tools. All of these tools, with the exception of Mimikatz (which is almost always used maliciously), have legitimate uses.",
+      "meta": {
+        "refs": [
+          "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets"
+        ]
+      },
+      "uuid": "1533bc1a-745a-11e8-90e3-efa3e975fef3s"
     }
   ],
   "name": "Threat actor",
@@ -2715,5 +2725,5 @@
   ],
   "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
   "uuid": "7cdff317-a673-4474-84ec-4f1754947823",
-  "version": 42
+  "version": 43
 }