Groups in Development Threat Actor Storm-0530

A group of actors originating from North Korea that Microsoft tracks as Storm-0530 (formerly DEV-0530) has been developing and using ransomware in attacks since June 2021. This group, which calls itself H0lyGh0st, utilizes a ransomware payload with the same name for its campaigns and has successfully compromised small businesses in multiple countries as early as September 2021. Microsoft assesses that Storm-0530 has connections with another North Korean-based group tracked as Onyx Sleet (formerly PLUTONIUM, aka DarkSeoul or Andariel). While the use of H0lyGh0st ransomware in campaigns is unique to Storm-0530, Microsoft has observed communications between the two groups, as well as Storm-0530 using tools created exclusively by Onyx Sleet.