Storm-0530

Also known as: DEV-0530, H0lyGh0st, Storm-0530

H0lyGh0st is a North Korean threat actor that has been active since June 2021. They are responsible for developing and deploying the H0lyGh0st ransomware, which targets small-to-medium businesses in various sectors. The group employs β€œdouble extortion” tactics, encrypting data and threatening to publish it if the ransom is not paid. There are connections between H0lyGh0st and the PLUTONIUM APT group, indicating a possible affiliation.

🌍 Country North Korea

Introduction

H0lyGh0st is a North Korean threat actor that has been active since June 2021. They are responsible for developing and deploying the H0lyGh0st ransomware, which targets small-to-medium businesses in various sectors. The group employs β€œdouble extortion” tactics, encrypting data and threatening to publish it if the ransom is not paid. There are connections between H0lyGh0st and the PLUTONIUM APT group, indicating a possible affiliation.

Activities and Tactics

Country of Origin: πŸ‡°πŸ‡΅ North Korea

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • gh0st
  • Small-Net
  • Gh0st RAT

Attribution and Evidence

Country of Origin: North Korea Additional attribution information pending cataloguing.

References

References pending cataloguing.