{ "id": "dbdcd356-a90d-4d48-afe6-3830f82da815", "created_at": "2026-04-06T00:10:28.023189Z", "updated_at": "2026-04-10T03:34:54.349626Z", "deleted_at": null, "sha1_hash": "787d56f312c521364af36252110d67d463c4ab3a", "title": "North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 642644, "plain_text": "North Korean threat actor targets small and midsize businesses with\r\nH0lyGh0st ransomware | Microsoft Security Blog\r\nBy Microsoft Digital Security Unit (DSU), Microsoft Threat Intelligence\r\nPublished: 2022-07-14 · Archived: 2026-04-05 17:43:31 UTC\r\nApril 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the\r\ntheme of weather. DEV-0530 is now tracked as Storm-0530 and PLUTONIUM is now tracked as Onyx Sleet.\r\nTo learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete\r\nmapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.\r\nA group of actors originating from North Korea that Microsoft Threat Intelligence Center (MSTIC) tracks as DEV-0530 has\r\nbeen developing and using ransomware in attacks since June 2021. This group, which calls itself H0lyGh0st, utilizes a\r\nransomware payload with the same name for its campaigns and has successfully compromised small businesses in multiple\r\ncountries as early as September 2021.\r\nAlong with their H0lyGh0st payload, DEV-0530 maintains an .onion site that the group uses to interact with their victims.\r\nThe group’s standard methodology is to encrypt all files on the target device and use the file extension .h0lyenc, send the\r\nvictim a sample of the files as proof, and then demand payment in Bitcoin in exchange for restoring access to the files. As\r\npart of their extortion tactics, they also threaten to publish victim data on social media or send the data to the victims’\r\ncustomers if they refuse to pay. This blog is intended to capture part of MSTIC’s analysis of DEV-0530 tactics, present the\r\nprotections Microsoft has implemented in our security products, and share insights on DEV-0530 and H0lyGh0st\r\nransomware with the broader security community to protect mutual customers.\r\nMSTIC assesses that DEV-0530 has connections with another North Korean-based group tracked as PLUTONIUM (aka\r\nDarkSeoul or Andariel). While the use of H0lyGh0st ransomware in campaigns is unique to DEV-0530, MSTIC has\r\nobserved communications between the two groups, as well as DEV-0530 using tools created exclusively by PLUTONIUM.\r\nAs with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or\r\ncompromised, providing them with the information they need to secure their accounts. Microsoft uses DEV-####\r\ndesignations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing\r\nMSTIC to track it as a unique set of information until we reach high confidence about the origin or identity of the actor\r\nbehind the activity.\r\nWho is DEV-0530?\r\nDEV-0530 primarily operates ransomware campaigns to pursue financial objectives. In MSTIC’s investigations of their\r\nearly campaigns, analysts observed that the group’s ransom note included a link to the .onion site\r\nhxxp://matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd[.]onion, where the attackers claim to “close the gap\r\nbetween the rich and poor”. They also attempt to legitimize their actions by claiming to increase the victim’s security\r\nawareness by letting the victims know more about their security posture.\r\nhttps://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/\r\nPage 1 of 10\n\nFigure 1. A H0lyGh0st ransom note linked to the attackers’ .onion site.\r\nFigure 2. DEV-0530 attackers publishing their claims on their website.\r\nLike many other ransomware actors, DEV-0530 notes on their website’s privacy policy that they would not sell or publish\r\ntheir victim’s data if they get paid. But if the victim fails to pay, they would publish everything. A contact form is also\r\navailable for victims to get in touch with the attackers.\r\nFigure 3. Privacy policy and contact us information on the H0lyGh0st website.\r\nhttps://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/\r\nPage 2 of 10\n\nAffiliations with other threat actors originating from North Korea\r\nMSTIC assesses there is likely some overlap between DEV-0530 and PLUTONIUM. PLUTONIUM is a North Korean\r\nthreat actor group affiliated with clusters of activity that are also known as DarkSeoul and Andariel. Active since at least\r\n2014, PLUTONIUM has primarily targeted the energy and defense industries in India, South Korea, and the United States\r\nusing a variety of tactics and techniques.\r\nMSTIC has observed known DEV-0530 email accounts communicating with known PLUTONIUM attacker accounts.\r\nMSTIC has also observed both groups operating from the same infrastructure set, and even using custom malware\r\ncontrollers with similar names.\r\nTo further assess the origin of DEV-0530 operations, MSTIC performed a temporal analysis of observed activity from the\r\ngroup. MSTIC estimates that the pattern of life of DEV-0530 activity is most consistent with the UTC+8 and UTC+9 time\r\nzones. UTC+9 is the time zone used in North Korea.\r\nDespite these similarities, differences in operational tempo, targeting, and tradecraft suggest DEV-0530 and PLUTONIUM\r\nare distinct groups.\r\nWhy are North Korean actors using ransomware?\r\nBased on geopolitical observations by global experts on North Korean affairs and circumstantial observations, Microsoft\r\nanalysts assess the use of ransomware by North Korea-based actors is likely motivated by two possible objectives.  \r\nThe first possibility is that the North Korean government sponsors this activity. The weakened North Korean economy has\r\nbecome weaker since 2016 due to sanctions, natural disasters, drought, and the North Korean government’s COVID-19\r\nlockdown from the outside world since early 2020. To offset the losses from these economic setbacks, the North Korean\r\ngovernment could have sponsored cyber actors stealing from banks and cryptocurrency wallets for more than five years. If\r\nthe North Korean government is ordering these ransomware attacks, then the attacks would be yet another tactic the\r\ngovernment has enabled to offset financial losses.\r\nHowever, state-sponsored activity against cryptocurrency organizations has typically targeted a much broader set of victims\r\nthan observed in DEV-0530 victimology. Because of this, it is equally possible that the North Korean government is not\r\nenabling or supporting these ransomware attacks. Individuals with ties to PLUTONIUM infrastructure and tools could be\r\nmoonlighting for personal gain. This moonlighting theory might explain the often-random selection of victims targeted by\r\nDEV-0530.\r\nAlthough Microsoft cannot be certain of DEV-0530’s motivations, the impact of these ransomware attacks on our customers\r\nraises the importance of exposing the underlying tactics and techniques, detecting and preventing attacks in our security\r\nproducts, and sharing our knowledge with the security ecosystem.\r\nRansomware developed by DEV-0530\r\nBetween June 2021 and May 2022, MSTIC classified H0lyGh0st ransomware under two new malware families:\r\nSiennaPurple and SiennaBlue. Both were developed and used by DEV-0530 in campaigns. MSTIC identified four variants\r\nunder these families – BTLC_C.exe, HolyRS.exe, HolyLock.exe, and BLTC.exe – and clustered them based on code\r\nsimilarity, C2 infrastructure including C2 URL patterns, and ransom note text. BTLC_C.exe is written in C++ and is\r\nclassified as SiennaPurple, while the rest are written in Go, and all variants are compiled into .exe to target Windows\r\nsystems. Microsoft Defender Antivirus, which is built into and ships with Windows 10 and 11, detects and blocks\r\nBTLC_C.exe as SiennaPurple and the rest as SiennaBlue, providing protection for Windows users against all known\r\nvariants the H0lyGh0st malware..\r\nhttps://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/\r\nPage 3 of 10\n\nFigure 4. Timeline of DEV-0530 ransomware payloads.\r\nSiennaPurple ransomware family: BTLC_C.exe\r\nBLTC_C.exe is a portable ransomware developed by DEV-0530 and was first seen in June 2021. This ransomware doesn’t\r\nhave many features compared to all malware variants in the SiennaBlue family. Prominently, if not launched as an\r\nadministrative user, the BLTC_C.exe malware displays the following hardcoded error before exiting:\r\n\"This program only execute under admin privilege\".\r\nThe malware uses a simple obfuscation method for strings where 0x30 is subtracted from the hex value of each character,\r\nsuch that the string “aic^ef^bi^abc0” is decoded to 193[.]56[.]29[.]123. The indicators of compromise (IOCs) decoded from\r\nthe BLTC_C.exe ransomware are consistent with all malware variants in the SiennaBlue family, including the C2\r\ninfrastructure and the HTTP beacon URL structure access.php?order=AccessRequest\u0026cmn. The BTLC_C.exe sample\r\nanalyzed by MSTIC has the following PDB path: M:\\ForOP\\attack(utils)\\attack\r\ntools\\Backdoor\\powershell\\btlc_C\\Release\\btlc_C.pdb.\r\nSiennaBlue ransomware family: HolyRS.exe, HolyLocker.exe, and BTLC.exe\r\nBetween October 2021 and May 2022, MSTIC observed a cluster of new DEV-0530 ransomware variants written in Go. We\r\nclassified these variants as SiennaBlue. While new Go functions were added to the different variants over time, all the\r\nransomware in the SiennaBlue family share the same core Go functions.\r\nA deeper look into the Go functions used in the SiennaBlue ransomware showed that over time, the core functionality\r\nexpanded to include features like various encryption options, string obfuscation, public key management, and support for the\r\ninternet and intranet. The table below demonstrates this expansion by comparing the Go functions in HolyRS.exe and\r\nBTLC.exe:\r\nHolyRS.exe [2021] BTLC.exe [2022]\r\nmain_main\r\nmain_init_0\r\nmain_IsAdmin\r\nmain_encryptFiles\r\nHolyLocker_RsaAlgorithm_GenerateKeyPair\r\nHolyLocker_RsaAlgorithm_Encrypt\r\nHolyLocker_CryptoAlogrithm___ptr_File__EncryptRSA\r\nHolyLocker_CryptoAlogrithm___ptr_File__EncryptAES\r\nHolyLocker_utilities_GenerateRandomANString\r\nHolyLocker_utilities_StringInSlice\r\nHolyLocker_utilities_SliceContainsSubstring\r\nHolyLocker_utilities_RenameFile\r\nHolyLocker_Main_init\r\nHolyLocker_communication_New\r\nHolyLocker_communication___ptr_Client__GetPubkeyFromServer\r\nHolyLocker_communication___ptr_Client__Do\r\nmain_main\r\nmain_init_0\r\nmain_IsAdmin\r\nmain_encryptFiles\r\nmain_DeleteSchTask\r\nmain_DisableNetworkDevice main_encryptString\r\nmain_decryptString\r\nmain_cryptAVPass\r\nmain_SelfDelete\r\nHolyLocker_RsaAlgorithm_GenerateKeyPair\r\nHolyLocker_RsaAlgorithm_Encrypt\r\nHolyLocker_CryptoAlogrithm___ptr_File__EncryptRSA\r\nHolyLocker_CryptoAlogrithm___ptr_File__EncryptAES\r\nHolyLocker_utilities_GenerateRandomANString\r\nHolyLocker_utilities_StringInSlice\r\nHolyLocker_utilities_SliceContainsSubstring\r\nhttps://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/\r\nPage 4 of 10\n\nHolyRS.exe [2021] BTLC.exe [2022]\r\nHolyLocker_communication___ptr_Client__SendEncryptedPayload\r\nHolyLocker_communication___ptr_Client__SendFinishRequest\r\nHolyLocker_communication___ptr_Client__AddNewKeyPairToIntranet\r\nHolyLocker_communication___ptr_Client__AddNewKeyPair\r\nHolyLocker_utilities_RenameFile\r\nHolyLocker_Main_init\r\nHolyLocker_communication_New\r\nHolyLocker_communication___ptr_Client__GetPubkeyFro\r\nHolyLocker_communication___ptr_Client__Do\r\nHolyLocker_communication___ptr_Client__SendEncrypted\r\nHolyLocker_communication___ptr_Client__SendFinishReq\r\nHolyLocker_communication___ptr_Client__AddNewKeyPa\r\nHolyLocker_communication___ptr_Client__AddNewKeyPa\r\nMSTIC assesses DEV-0530 successfully compromised several targets in multiple countries using HolyRS.exe in November\r\n2021. A review of the victims showed they were primarily small-to-midsized businesses, including manufacturing\r\norganizations, banks, schools, and event and meeting planning companies. The victimology indicates that these victims are\r\nmost likely targets of opportunity. MSTIC suspects that DEV-0530 might have exploited vulnerabilities such as CVE-2022-\r\n26352 (DotCMS remote code execution vulnerability) on public-facing web applications and content management systems\r\nto gain initial access into target networks. The SiennaBlue malware variants were then dropped and executed. To date,\r\nMSTIC has not observed DEV-0530 using any 0-day exploits in their attacks.\r\nAfter successfully compromising a network, DEV-0530 exfiltrated a full copy of the victims’ files. Next, the attackers\r\nencrypted the contents of the victim device, replacing all file names with Base64-encoded versions of the file names and\r\nrenaming the extension to .h0lyenc. Victims found a ransom note in C:\\FOR_DECRYPT.html, as well as an email from the\r\nattackers with subject lines such as:\r\n!!!!We are \u003c H0lyGh0st\u003e. Please Read me!!!!\r\nAs seen in the screenshot below, the email from the attackers let the victim know that the group has stolen and encrypted all\r\ntheir files. The email also included a link to a sample of the stolen data to prove their claim, in addition to the demand for\r\npayment for recovering the files.\r\nFigure 5. Ransom note left by DEV-0530 attackers.\r\nBTLC.exe is the latest DEV-0530 ransomware variant and has been seen in the wild since April 2022. BTLC.exe can be\r\nconfigured to connect to a network share using the default username, password, and intranet URL hardcoded in the malware\r\nif the ServerBaseURL is not accessible from the device. One notable feature added to BTLC.exe is a persistence mechanism\r\nin which the malware creates or deletes a scheduled task called lockertask, such that the following command line syntax can\r\nbe used to launch the ransomware:\r\ncmd.exe /Q /c schtasks /create /tn lockertask /tr [File] /sc minute /mo 1 /F /ru system 1\u003e \\\\127.0.0.1\\ADMIN$\\\r\nOnce the ransomware is successfully launched as an administrator, it tries to connect to the default ServerBaseURL\r\nhardcoded in the malware, attempts to upload a public key to the C2 server, and encrypts all files in the victim’s drive.\r\nHolyRS.exe/HolyLocker.exe C2 configuration BTLC.exe C2 configuration\r\nmain_ServerBaseURL:\r\nhxxp://193[.]56[.]29[.]123:8888\r\nEncryptionKey: H0lyGh0stKey1234\r\nIntranetUrl: 192[.]168[.]168[.]5\r\nhttps://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/\r\nPage 5 of 10\n\nHolyRS.exe/HolyLocker.exe C2 configuration BTLC.exe C2 configuration\r\nmain_IntranetURL: 10[.]10[.]3[.]42\r\nmain_Username: adm-karsair  \r\nUsername: atrismsp Scheduledtask name:\r\nlockertask\r\nFigure 6. BTLC.exe C2 communication\r\nBased on our investigation, the attackers frequently asked victims for anywhere from 1.2 to 5 Bitcoins. However, the\r\nattackers were usually willing to negotiate and, in some cases, lowered the price to less than one-third of the initial asking\r\nprice. As of early July 2022, a review of the attackers’ wallet transactions shows that they have not successfully extorted\r\nransom payments from their victims.\r\nFigure 7. Screenshot of DEV-0530 attackers’ wallet\r\nHolyRS.exe/BTLC.exe C2 URL pattern:\r\nhxxp://193[.]56[.]29[.]123:8888/access.php?order=GetPubkey\u0026cmn=[Victim_HostName]\r\nhxxp://193[.]56[.]29[.]123:8888/access.php?order=golc_key_add\u0026cmn=[Victim_HostName]\u0026type=1\r\nhxxp://193[.]56[.]29[.]123:8888/access.php?order=golc_key_add\u0026cmn=[Victim_HostName]\u0026type=2\r\nhxxp://193[.]56[.]29[.]123:8888/access.php?order=golc_finish\u0026cmn=[Victim_HostName]\u0026\r\nExamples of HolyRS.exe/BTLC.exe ransom note metadata:\r\nAttacker email address: H0lyGh0st@mail2tor[.]com\r\nImage location: hxxps://cloud-ex42[.]usaupload[.]com/cache/plugins/filepreviewer/219002/f44c6929994386ac2ae18b93f8270ec9ff8420d528c9e35a878efaa2d38fb94c/1100x8\r\nReport URL: hxxp://matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd[.]onion\r\nhttps://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/\r\nPage 6 of 10\n\nMicrosoft will continue to monitor DEV-0530 activity and implement protections for our customers. The current detections,\r\nadvanced detections, and indicators of compromise (IOCs) in place across our security products are detailed below.\r\nRecommended customer actions\r\nMicrosoft has implemented protections to detect these malware families as SiennaPurple and SiennaBlue (e.g.,\r\nRansom:Win32/SiennaBlue.A) via Microsoft Defender Antivirus and Microsoft Defender for Endpoint, wherever these are\r\ndeployed on-premises and in cloud environments.\r\nMicrosoft encourages all organizations to proactively implement and frequently validate a data backup and restore plan as\r\npart of broader protection against ransomware and extortion threats.\r\nThe techniques used by DEV-0530 in H0lyGh0st activity can be mitigated by adopting the security considerations provided\r\nbelow:\r\nUse the included IOCs to investigate whether they exist in your environment and assess for potential intrusion.\r\nOur blog on the ransomware as a service economy has an exhaustive guide on how to protect against ransomware threats.\r\nWe encourage readers to refer to that blog for a comprehensive guide that has a deep dive into each of the following areas:\r\nBuilding credential hygiene\r\nAuditing credential exposure\r\nPrioritizing deployment of Active Directory updates\r\nCloud hardening\r\nImplement the Azure Security Benchmark and general best practices for securing identity infrastructure.\r\nEnsure cloud admins/tenant admins are treated with the same level of security and credential hygiene as\r\nDomain Admins.\r\nAddress gaps in authentication coverage.\r\nEnforcing MFA on all accounts, remove users excluded from MFA, and strictly require MFA from all devices, in all\r\nlocations, at all times.\r\nEnabling passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft\r\nAuthenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator\r\napps like Microsoft Authenticator for MFA.\r\nDisabling legacy authentication.\r\nFor small or midsize companies who use Microsoft Defender for Business or Microsoft 365 Business Premium, enabling\r\neach of the features below will provide a protective layer against these threats where applicable. For Microsoft 365 Defender\r\ncustomers, the following checklist eliminates security blind spots:\r\nTurn on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker tools and\r\ntechniques, block new and unknown malware variants, and enhance attack surface reduction rules and tamper\r\nprotection.\r\nTurn on tamper protection features to prevent attackers from stopping security services.\r\nRun EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when a non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR\r\nin block mode also blocks indicators identified proactively by Microsoft Threat Intelligence teams.\r\nEnable network protection to prevent applications or users from accessing malicious domains and other malicious\r\ncontent on the internet.\r\nEnable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take\r\nimmediate action on alerts to resolve breaches.\r\nUse device discovery to increase visibility into the network by finding unmanaged devices and onboarding them to\r\nMicrosoft Defender for Endpoint.\r\nProtect user identities and credentials using Microsoft Defender for Identity, a cloud-based security solution that\r\nleverages on-premises Active Directory signals to monitor and analyze user behavior to identify suspicious user\r\nactivities, configuration issues, and active attacks.\r\nIndicators of compromise\r\nThis list provides IOCs observed during our investigation. We encourage our customers to investigate these indicators in\r\ntheir environments and implement detections and protections to identify past related activity and prevent future attacks\r\nhttps://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/\r\nPage 7 of 10\n\nagainst their systems.\r\nIndicator Type Description\r\n99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd SHA-256\r\nHash of\r\nBTLC_C.exe\r\nf8fc2445a9814ca8cf48a979bff7f182d6538f4d1ff438cf259268e8b4b76f86 SHA-256\r\nHash of\r\nHolyRS.exe\r\nbea866b327a2dc2aa104b7ad7307008919c06620771ec3715a059e675d9f40af SHA-256\r\nHash of\r\nBTLC.exe\r\ncmd.exe /Q /c schtasks /create /tn lockertask /tr [File] /sc minute /mo 1 /F\r\n/ru system 1\u003e \\\\127.0.0.1\\ADMIN$\\__[randomnumber] 2\u003e\u00261  \r\nCommand\r\nline\r\nExample of\r\nnew\r\nScheduledTask\r\nto BTLC.exe\r\n193[.]56[.]29[.]123 C2 C2 IP address\r\nH0lyGh0st@mail2tor[.]com Email\r\nRansomware\r\npayment\r\ncommunication\r\naddress\r\nC:\\FOR_DECRYPT.html File path\r\nFile path of\r\nransom note\r\nNOTE: These indicators should not be considered exhaustive for this observed activity.\r\nMicrosoft 365 detections\r\nMicrosoft Defender Antivirus\r\nTrojan:Win32/SiennaPurple.A\r\nRansom:Win32/SiennaBlue.A\r\nRansom:Win32/SiennaBlue.B\r\nMicrosoft Defender for Endpoint\r\nMicrosoft Defender for Endpoint customers may see any or a combination of the following alerts as an indication of\r\npossible attack.\r\nDEV-0530 activity group\r\nRansomware behavior detected in the file system\r\nPossible ransomware infection modifying multiple files\r\nPossible ransomware activity\r\nAdvanced hunting queries\r\nMicrosoft Sentinel\r\nTo locate possible DEV-0530 activity mentioned in this blog post, Microsoft Sentinel customers can use the queries detailed\r\nbelow:\r\nIdentify DEV-0530  IOCs\r\nThis query identifies a match based on IOCs related to DEV-0530 across various Sentinel data feeds:\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0530_July2022.yaml\r\nIdentify renamed file extension\r\nhttps://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/\r\nPage 8 of 10\n\nDEV-0530 actors are known to encrypt the contents of the victim’s device as well as rename the file and extension. The\r\nfollowing query detects the creation of files with .h0lyenc extension:\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0530_FileExtRename.yaml\r\nIdentify Microsoft Defender Antivirus detection related to DEV-0530\r\nThis query looks for Microsoft Defender AV detections related to DEV-0530 and joins the alert with other data sources to\r\nsurface additional information such as device, IP, signed-in on users, etc.\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Dev-0530AVHits.yaml\r\nYara rules\r\nrule SiennaPurple\r\n{\r\nmeta:\r\nauthor = \"Microsoft Threat Intelligence Center (MSTIC)\"\r\ndescription = \"Detects PDB path, C2, and ransom note in DEV-0530 Ransomware SiennaPurple samples\"\r\nhash = \"99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd\"\r\nstrings:\r\n$s1 = \"ForOP\\\\attack(utils)\\\\attack tools\\\\Backdoor\\\\powershell\\\\btlc_C\\\\Release\\\\btlc_C.pdb\"\r\n$s2 = \"matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd.onion\"\r\n$s3 = \"H0lyGh0st@mail2tor.com\"\r\n$s4 = \"We are \u003cholyghost\u003e. All your important files are stored and encrypted.\"\r\n$s5 = \"aic^ef^bi^abc0\"\r\n$s6 = \"---------------------------3819074751749789153841466081\"\r\ncondition:\r\nuint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and\r\nfilesize \u003c 7MB and filesize \u003e 1MB and\r\nall of ($s*)\r\n}\r\n\u003c/holyghost\u003e\r\nrule SiennaBlue\r\n{\r\nmeta:\r\nauthor = \"Microsoft Threat Intelligence Center (MSTIC)\"\r\ndescription = \"Detects Golang package, function, and source file names observed in DEV-0530\r\nRansomware SiennaBlue samples\"\r\nhash1 = \"f8fc2445a9814ca8cf48a979bff7f182d6538f4d1ff438cf259268e8b4b76f86\"\r\nhash2 = \"541825cb652606c2ea12fd25a842a8b3456d025841c3a7f563655ef77bb67219\"\r\nstrings:\r\nhttps://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/\r\nPage 9 of 10\n\n$holylocker_s1 = \"C:/Users/user/Downloads/development/src/HolyLocker/Main/HolyLock/locker.go\"\n$holylocker_s2 = \"HolyLocker/Main.EncryptionExtension\"\n$holylocker_s3 = \"HolyLocker/Main.ContactEmail\"\n$holylocker_s4 = \"HolyLocker/communication.(*Client).GetPubkeyFromServer\"\n$holylocker_s5 = \"HolyLocker/communication.(*Client).AddNewKeyPairToIntranet\"\n$holyrs_s1 = \"C:/Users/user/Downloads/development/src/HolyGhostProject/MainFunc/HolyRS/HolyRS.go\"\n$holyrs_s2 = \"HolyGhostProject/MainFunc.ContactEmail\"\n$holyrs_s3 = \"HolyGhostProject/MainFunc.EncryptionExtension\"\n$holyrs_s4 = \"HolyGhostProject/Network.(*Client).GetPubkeyFromServer\"\n$holyrs_s5 = \"HolyGhostProject/Network.(*Client).AddNewKeyPairToIntranet\"\n$s1 = \"Our site : **[H0lyGh0stWebsite\" $s2 = \".h0lyenc\" $go_prefix = \"Go build ID:\" condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize \u003c 7MB and filesize \u003e 1MB and $go_prefix and all of ($s*) and (all of ($holylocker_*) or all of ($holyrs_*)) }](%s)** Source: https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/\nhttps://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/" ], "report_names": [ "north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "40ec2da8-7156-4bff-b878-41984eb70df4", "created_at": "2024-02-02T02:00:04.080917Z", "updated_at": "2026-04-10T02:00:03.555365Z", "deleted_at": null, "main_name": "Storm-0530", "aliases": [ "DEV-0530", "H0lyGh0st" ], "source_name": "MISPGALAXY:Storm-0530", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "68cc6e37-f16d-4995-a75b-5e8e2a6cbb3d", "created_at": "2024-05-01T02:03:07.943593Z", "updated_at": "2026-04-10T02:00:03.795229Z", "deleted_at": null, "main_name": "BRONZE EDISON", "aliases": [ "APT4 ", "DarkSeoul", "Maverick Panda ", "Salmon Typhoon ", "Sodium ", "Sykipot ", "TG-0623 ", "getkys" ], "source_name": "Secureworks:BRONZE EDISON", "tools": [ "Gh0st RAT", "Wkysol", "ZxPortMap" ], "source_id": "Secureworks", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434228, "ts_updated_at": 1775792094, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/787d56f312c521364af36252110d67d463c4ab3a.pdf", "text": "https://archive.orkl.eu/787d56f312c521364af36252110d67d463c4ab3a.txt", "img": "https://archive.orkl.eu/787d56f312c521364af36252110d67d463c4ab3a.jpg" } }