🇰🇵 KP5 malware familiesExploits CVEs in the wild

DEV-0530

Also known asdev_0530

DEV-0530 is a DPRK-origin cybercriminal group tracked by Microsoft under the DEV-0530 alias and identified as the developer of the H0lyGh0st ransomware. Microsoft assessed that DEV-0530 has connections to Andariel, and SEKOIA.IO assessed it is likely an offshoot of Andariel. The available content links the group to North Korean cyber activity that blends financially motivated operations with broader DPRK-linked intrusion-set activity. Known alias: dev_0530.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

ARSENAL

Associated malware families

5 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

H0lyGh0stthe cybercriminal group which developed the H0lyGh0st ransomware is assessed to be originating from the DPRK2Apr 18, 2026

BLTC.exe"The latest variant, BLTC.exe, has a hardcoded intranet URL and ServerBaseUrl... Unlike its predecessors, BLTC.exe establishes persistence by creating and deleting a scheduled task called lockertask."1Mar 18, 2026

BTLC_C.exe"The first malware developed by the H0lyGh0st ransomware group was named BTLC_C.exe... classified under the SiennaPurple malware family"1Mar 18, 2026

HolyLock.exe"...built new ransomware variants. These new variants, HolyRs.exe, HolyLock.exe, and BLTC.exe, are classified under the SiennaBlue malware family."1Mar 18, 2026

HolyRs.exe"...built new ransomware variants. These new variants, HolyRs.exe, HolyLock.exe, and BLTC.exe, are classified under the SiennaBlue malware family."1Mar 18, 2026

WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2022-26352RCE via Unrestricted File Upload in dotCMS ContentResource APIIn the wildEvidence1

To gain initial access, new variants of H0lyGh0st ransomware search for vulnerabilities in the public-facing web applications and content management systems of their target. DotCMS RCE (CVE-2022-26352) vulnerability is one of the vulnerabilities exploited by the ransomware group.

IOCS

Observables

11 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

11 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

sekoia blogNews

Dec 16, 2022

The DPRK delicate sound of cyber - Sekoia.io Blog

A DPRK-origin cybercriminal group linked to H0lyGh0st ransomware and assessed as having connections to Andariel, possibly as an offshoot engaged in moonlighting ransomware activity.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal5

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables11

Domains, IPs, and hashes tied to this actor, refreshed continuously.