H0lyGh0st

H0lyGh0st, also known as HolyGhost and DEV-0530, is a North Korea-based financially motivated cyber extortion and ransomware group active since June 2021. Microsoft also refers to this cluster as Storm-0530. The group has primarily targeted small-to-midsize organizations, including entities in financial services, manufacturing, education, and entertainment. H0lyGh0st conducts double-extortion ransomware operations: it gains initial access, moves laterally, exfiltrates data, encrypts files, and demands payment while threatening to leak stolen data. It has operated a .onion site to communicate with victims, threatened publication of stolen data on platforms such as Pastebin, and sent victims samples of stolen data as proof of compromise. Reported ransom demands ranged from 1.2 to 5 BTC, with some victims reportedly negotiating reductions. The group has been described as exploiting vulnerabilities in public-facing web applications and content management systems for initial access, including DotCMS remote code execution vulnerability CVE-2022-26352. Its ransomware variants include the early C++ sample BTLC_C.exe, associated with the SiennaPurple family, and later Go-based variants HolyRs.exe, HolyLock.exe, and BLTC.exe, associated with the SiennaBlue family. Reported behaviors include Base64-encoding filenames, appending the .h0lyenc extension, and dropping a ransom note named FOR_DECRYPT.html. The BLTC.exe variant has been described as using a hardcoded intranet URL and ServerBaseUrl, falling back to a network share with default credentials, and creating and deleting a scheduled task named lockertask for persistence. Microsoft Threat Intelligence Center reported overlaps between H0lyGh0st and PLUTONIUM, also known as Andariel and DarkSeoul, a subgroup under the Lazarus umbrella, based on observed communications and similar custom malware controllers. The content describes H0lyGh0st as North Korea-based and notes this possible affiliation, but does not state a definitive merger or identical attribution.