2 malware families

Storm-0530

Also known asStorm-0530

Storm-0530 is a North Korea-linked threat actor associated with the H0lyGh0st ransomware (a self-chosen name used on the group’s ransom page). Microsoft reporting describes Storm-0530 as having notable affiliations with the North Korean actor Onyx Sleet (aka Silent Chollima/Andariel): Storm-0530 has been observed interacting with Onyx Sleet email accounts and communicating with known Onyx Sleet attacker accounts, and Microsoft states the two operate from the same infrastructure set and use custom malware controllers with similar names. H0lyGh0st ransomware campaigns attributed to Storm-0530 compromised small businesses in multiple countries as early as September 2021, including very small organizations (e.g., small schools and a family-owned plumbing business). Analysis of H0lyGh0st-associated cryptocurrency wallets reportedly showed the operators received zero Bitcoin payments.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

FakePennyIn April 2024, Microsoft observed Moonstone Sleet delivering a new custom ransomware variant we have named FakePenny ... FakePenny includes a loader and an encryptor.1Mar 8, 2026

H0lyGh0stMicrosoft reported on Onyx Sleet’s and Storm-0530’s h0lyGhost ransomware in 2022.1Mar 8, 2026

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

thecyberwire comNews

Sep 11, 2024

Citrine and Onyx Sleet: An Inside Look at North Korean Threat Actors

North Korea-linked cluster associated with H0lyGh0st ransomware, targeting small organizations across multiple countries since at least Sep 2021. Described as operationally distinct from Onyx Sleet (more opportunistic/erratic targeting) but with technical links such as shared infrastructure and account interactions.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.