{ "id": "be0271b4-0c71-4f71-ba6f-84573b700ebb", "created_at": "2026-04-06T00:11:50.499624Z", "updated_at": "2026-04-10T03:34:54.518085Z", "deleted_at": null, "sha1_hash": "0af3c85973267fb10abedae0d3a47d46a1527b2e", "title": "H0lyGh0st - North Korean Threat Group Strikes Back With New Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 407483, "plain_text": "H0lyGh0st - North Korean Threat Group Strikes Back With New\r\nRansomware\r\nBy Huseyin Can YUCEEL\r\nPublished: 2022-07-29 · Archived: 2026-04-05 15:14:01 UTC\r\nH0lyGh0st is a North Korea based cyber extortion group that has actively developed and deployed ransomware since June\r\n2021. The operators pursue financial gain through classic extortion playbooks that include data theft, file encryption, and\r\npublic pressure on leak sites. Early campaigns in September 2021 struck small and midsize organizations across multiple\r\nsectors, including banking, manufacturing, education, and event and meeting planning firms. Victim selection suggests a\r\nfocus on entities with limited security staff and high sensitivity to downtime, which increases the chance of payment.\r\nAlthough H0lyGh0st is not a new actor, activity in April 2022 showed a refreshed and more persistent ransomware variant\r\nthat improved reliability, survivability, and operator control during intrusions.\r\nReporting on the group’s tactics, techniques, and procedures points to common entry paths such as exposed remote services,\r\nweak or reused credentials, and phishing that delivers loaders or credential stealers. After initial access, affiliates perform\r\ndiscovery, escalate privileges, and stage data for exfiltration before launching encryption to maximize leverage. Recent\r\nvariants demonstrate stronger persistence mechanisms, better evasion of endpoint controls, and faster lateral movement\r\nacross Windows and server environments. Organizations can reduce risk by enforcing multifactor authentication, hardening\r\nand monitoring remote access, patching internet facing systems, segmenting critical applications, maintaining tested offline\r\nbackups, and monitoring for unusual data movement and encryption behavior. Continuous validation of detection and\r\nresponse controls helps verify coverage against H0lyGh0st techniques and ensures gaps are closed before an intrusion\r\nbecomes a costly extortion event.\r\nPicus Labs added attack simulations for H0lyGh0st ransomware attacks to the Picus Threat Library, and you can test your\r\nsecurity controls against H0lyGh0st attacks.\r\nSimulate Ransomware Threats with 14-Day Free Trial of Picus Platform\r\nThe H0lyGh0st Extortion Group\r\nThe H0lyGh0st is a North Korea-based cyber extortion threat group known for developing malware payloads and\r\nperforming ransomware attacks since June 2021. The ransomware group is also known as HolyGhost and DEV-0530. In\r\nSeptember 2021, they launched many successful attacks. Victim statistics show that they mainly target small-to-midsize\r\nindustries like financial services, manufacturing, education, and entertainment organizations with weak security\r\ninfrastructures [1].  \r\nFigure 1: H0lyGh0st group's welcoming message on their web page [1]\r\nThe group hosts a .onion web page to maintain communication with their victims. On their homepage, they rationalize their\r\ncyberattacks and malicious actions by claiming to be \"Robin Hood\" however, the H0lyGh0st ransomware group does not\r\nhttps://www.picussecurity.com/resource/h0lygh0st-north-korean-threat-group-strikes-back-with-new-ransomware\r\nPage 1 of 5\n\ntarget large organizations with robust security infrastructure. In fact, H0lyGh0st can be called an opportunistic threat group\r\nthat preys on small businesses with a weak security posture.\r\nFigure 2: Instructions given by H0lyGh0st on their web page. [1]\r\nAfter gaining initial access to their victim's network, the threat actors move laterally across the network and exfiltrate\r\nsensitive data.  After exfiltration, H0lyGh0st encrypts the victim's data and leaves the instructions for a ransom payment in\r\nFigure 2. The ransomware group uses the double extortion method and threatens to release stolen sensitive information on\r\nsocial media or anonymous document-sharing platforms like Pastebin unless ransom is paid. \r\nFigure 3: An email sent by H0lyGh0st [1]\r\nThe threat actor sends a piece of stolen data back to their victim as proof and demands ransom for the decryption key.\r\nDemanded ransoms vary from 1.2 to 5 BTC. However, some victims were able to negotiate and make a discount of up to ⅓\r\nof the initial ransom [2].\r\nAffiliated APT Group - PLUTONIUM\r\nAccording to Microsoft Threat Intelligence Center (MSTIC), H0lyGh0st is not following a hundred percent unique and\r\nindependent approach from other ransomware groups. There are some overlapping points between H0lyGh0st and another\r\nNorth Korean-based APT group, PLUTONIUM. \r\nPLUTONIUM is known as DarkSeoul or Andariel in the wild and is a sub-group under the Lazarus umbrella. PLUTONIUM\r\nis infamous for attacking energy and defense industries in many countries like South Korea, the USA, and India. The\r\nobserved mail communications between PLUTONIUM and H0lyGh0st and the use of similar custom malware controllers\r\nindicate an affiliation between the two groups.\r\nThe first malware developed by the H0lyGh0st ransomware group was named BTLC_C.exe, and it was first observed back\r\nin Jun 2021. BTLC_C.exe is classified under the SiennaPurple malware family and was written in C++. \r\nShortly after, the threat group switched to the Go language and built new ransomware variants. These new variants,\r\nHolyRs.exe, HolyLock.exe, and BLTC.exe, are classified under the SiennaBlue malware family.\r\nSince all these variants use the similar C2 URL and code patterns, ransom notes and instructions, MSTIC attributed these\r\nransomware to H0lyGh0st aka DEV-0530.\r\nhttps://www.picussecurity.com/resource/h0lygh0st-north-korean-threat-group-strikes-back-with-new-ransomware\r\nPage 2 of 5\n\nFigure 4: Timeline of the Payloads Developed and Used by H0lyGh0st [1]\r\nBTLC_C.exe Under the SiennaPurple Family\r\nBTLC_C.exe is the first malware developed by the H0lyGh0st ransomware group. BTLC_C.exe is not a sophisticated\r\nmalware payload and has few distinguishable features compared to its successors HolyRs.exe, HolyLock.exe, and\r\nBLTC.exe.\r\nBLTC_C.exe requires administrator-level privileges for execution, otherwise, a hard-coded error message pops up saying\r\nthat the program requires an admin user.\r\nThis malware uses a pretty basic string obfuscation technique: It substructs \"0x30\" from the hex value of each character in a\r\nstring. For instance, the hard-coded C2 IP address, 193[.]56[.]29[.]123, of the main_ServerBaseURL:\r\nhxxp://193[.]56[.]29[.]123:8888 is encoded as \"aic^ef^bi^abc0\" [1]. Apart from that, it is seen that IoCs found in decoded\r\nmalware are highly correlated to other variants in the SiennaBlue family in terms of C2 infrastructure and TTP beacon URL\r\nstructure access.php?order=AccessRequest\u0026cmn [1].\r\nHolyRS.exe, HolyLock.exe, and BLTC.exe Under the SienneBlue Family\r\nAs it was mentioned previously, malware payloads under the SiennaBlue family are written in Go language; thus, they share\r\ncore Go functions including multiple encryption options, public-key management, internet and intranet support, string\r\nobfuscation.\r\nTo gain initial access, new variants of H0lyGh0st ransomware search for vulnerabilities in the public-facing web\r\napplications and content management systems of their target. DotCMS RCE (CVE-2022-26352) vulnerability is one of the\r\nvulnerabilities exploited by the ransomware group.\r\nAfter successfully encrypting the victim's files, the ransomware encodes the file names in Base64 and appends the file with\r\nthe .h0lyenc extension. Then, the ransomware leaves a file called \"FOR_DECRYPT.html\" that contains contact information.\r\nFigure 5: \"Contact Us\" Section on the H0lyGh0st Web Page [1]\r\nThe latest variant, BLTC.exe, has a hardcoded intranet URL and ServerBaseUrl in the malware. BLTC.exe can be\r\nconfigured to connect to a network share using the default credentials and the intranet URL if the victim device cannot reach\r\nthe ServerBaseUrl. Unlike its predecessors, BLTC.exe establishes persistence by creating and deleting a scheduled task\r\ncalled lockertask.\r\nAfter being executed with administrator privileges, the ransomware payload tries to connect to the ServerBaseUrl. If the\r\nconnection is successful, it downloads a public key to the C2 server in order to encrypt the victim's all files.\r\nHow Picus Helps Simulate H0lyGh0st Attacks?\r\nhttps://www.picussecurity.com/resource/h0lygh0st-north-korean-threat-group-strikes-back-with-new-ransomware\r\nPage 3 of 5\n\nUsing the Picus Continuous Security Validation Platform, you can test your security controls against the H0lyGh0st attacks.\r\nWe advise you to simulate H0lyGh0st ransomware attacks and determine whether your security controls can prevent them or\r\nnot. Picus Threat Library includes the following threats to simulate attacks and malicious tools used by the H0lyGh0st\r\ngroup.\r\nThreat ID Action Name Attack Module\r\n20076 H0lyGh0st Ransomware Malware Download Threat Network Infiltration\r\n41450 H0lyGh0st Ransomware Malware Email Threat Email Infiltration (Phishing)\r\n97451 DEV-0530 Threat Group Campaign Malware Download Threat Network Infiltration\r\n75946 DEV-0530 Threat Group Campaign Malware Email Threat Email Infiltration (Phishing)\r\nMITRE ATT\u0026CK Techniques Used by H0lyGh0st Group\r\nInitial Access\r\nT1133 External Remote Services\r\nT1190 Exploit Public-Facing Application\r\nExecution\r\nT1059.003 Windows Command Shell\r\nPersistence\r\nT1133 External Remote Services\r\nPrivilege Escalation\r\nT1134.001    Token Impersonation/Theft\r\nDefense Evasion\r\nT1027.002 Software Packing\r\nT1134.001 Token Impersonation/Theft\r\nCredential Access\r\nT1056.004 Credential API Hooking\r\nDiscovery \r\nT1012 Query Registry\r\nT1033 System Owner/User Discovery\r\nT1049 System Network Connections Discovery\r\nT1057 Process Discovery\r\nT1082 System Information Discovery\r\nT1083 File and Directory Discovery\r\nT1135 Network Share Discovery\r\nCollection\r\nT1056.004 Credential API Hooking\r\nhttps://www.picussecurity.com/resource/h0lygh0st-north-korean-threat-group-strikes-back-with-new-ransomware\r\nPage 4 of 5\n\nT1114 Email Collection\r\nCommand and Control\r\nT1571 Non-Standard Port\r\nT1573 Encrypted Channel\r\nImpact\r\nT1486 Data Encrypted for Impact\r\nIndicators of Compromise (IOCs)\r\nSHA-256 MD5 SHA-1\r\n99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd 54ca404d16db18d233c606b48c73d66f d7d472bfc62bd6f52e3b4b3\r\nf8fc2445a9814ca8cf48a979bff7f182d6538f4d1ff438cf259268e8b4b76f86 a2b371eea0aee7cf57e23b5f0f4668c7 d1ddbe96ef37c38b4d92bcb\r\nbea866b327a2dc2aa104b7ad7307008919c06620771ec3715a059e675d9f40af eec15f3648f8bc8684e67ac7cf9813ea 4dade34d55256981a44652\r\nReference\r\n[1] Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU), “North Korean threat actor\r\ntargets small and midsize businesses with H0lyGh0st ransomware,” Microsoft Security Blog, Jul. 14, 2022. [Online].\r\nAvailable: https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/. [Accessed: Jul. 27, 2022]\r\n[2] H. Pro, “North Korean hacker group targets victims globally with Holy Ghost ransomware,” Hive Pro, Jul. 20, 2022.\r\n[Online]. Available: https://www.hivepro.com/north-korean-hacker-group-targets-victims-globally-with-holy-ghost-ransomware/. [Accessed: Jul. 27, 2022]\r\nSource: https://www.picussecurity.com/resource/h0lygh0st-north-korean-threat-group-strikes-back-with-new-ransomware\r\nhttps://www.picussecurity.com/resource/h0lygh0st-north-korean-threat-group-strikes-back-with-new-ransomware\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.picussecurity.com/resource/h0lygh0st-north-korean-threat-group-strikes-back-with-new-ransomware" ], "report_names": [ "h0lygh0st-north-korean-threat-group-strikes-back-with-new-ransomware" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "40ec2da8-7156-4bff-b878-41984eb70df4", "created_at": "2024-02-02T02:00:04.080917Z", "updated_at": "2026-04-10T02:00:03.555365Z", "deleted_at": null, "main_name": "Storm-0530", "aliases": [ "DEV-0530", "H0lyGh0st" ], "source_name": "MISPGALAXY:Storm-0530", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "68cc6e37-f16d-4995-a75b-5e8e2a6cbb3d", "created_at": "2024-05-01T02:03:07.943593Z", "updated_at": "2026-04-10T02:00:03.795229Z", "deleted_at": null, "main_name": "BRONZE EDISON", "aliases": [ "APT4 ", "DarkSeoul", "Maverick Panda ", "Salmon Typhoon ", "Sodium ", "Sykipot ", "TG-0623 ", "getkys" ], "source_name": "Secureworks:BRONZE EDISON", "tools": [ "Gh0st RAT", "Wkysol", "ZxPortMap" ], "source_id": "Secureworks", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434310, "ts_updated_at": 1775792094, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0af3c85973267fb10abedae0d3a47d46a1527b2e.pdf", "text": "https://archive.orkl.eu/0af3c85973267fb10abedae0d3a47d46a1527b2e.txt", "img": "https://archive.orkl.eu/0af3c85973267fb10abedae0d3a47d46a1527b2e.jpg" } }