H0lyGh0st
H0lyGh0st is a DPRK-linked ransomware family associated with the North Korea-based financially motivated extortion group also referred to as H0lyGh0st/DEV-0530, with reported overlaps to Lazarus sub-group Andariel (also tracked as Onyx Sleet, PLUTONIUM, or Stonefly). Reporting in the provided content states the malware was active in the wild from at least June 2021, with successful attacks observed from September 2021. It has been described as one of the bespoke ransomware families historically built and deployed by Lazarus-linked operators, alongside WannaCry and Maui.
The malware and associated operators are described as primarily targeting small-to-midsize organizations, including financial services, manufacturing, education, entertainment, and in broader DPRK ransomware reporting, healthcare and other critical infrastructure. Campaigns reportedly affected small organizations in multiple countries, including examples such as small schools and a family-owned plumbing business. The operators used double extortion: after initial access and lateral movement, they exfiltrated victim data, encrypted systems, and threatened to leak stolen data via their .onion site or platforms such as Pastebin if ransom was not paid. Ransom demands were reported in bitcoin, typically ranging from 1.2 to 5 BTC, with some victims negotiating discounts.
The content states H0lyGh0st operators searched for vulnerabilities in public-facing web applications and content management systems for initial access, including exploitation of DotCMS RCE CVE-2022-26352. Broader joint advisories on DPRK ransomware activity also state that DPRK actors used known vulnerabilities such as Log4Shell (CVE-2021-44228), SonicWall SMA100 (CVE-2021-20038), and TerraMaster TOS (CVE-2022-24990), and distributed Trojanized X-Popup messenger files via domains xpopup.pe[.]kr and xpopup[.]com. Advisories further note that DPRK actors may deploy H0lyGh0st and demand payment in bitcoin while masking attribution through foreign infrastructure, VPNs, VPSs, and third-country identities.
Multiple H0lyGh0st payload variants are described. The earliest cited sample, BTLC_C.exe, belongs to the SiennaPurple family, is written in C++, requires administrator privileges, and uses simple string obfuscation by subtracting 0x30 from each character’s hex value. A cited encoded C2 example for this variant is tied to hxxp://193[.]56[.]29[.]123:8888. Later variants including HolyRs.exe, HolyLock.exe, and BLTC.exe are described as Go-based members of the SiennaBlue family sharing common functions for encryption options, key management, and networking. After encryption, H0lyGh0st variants are reported to Base64-encode filenames, append the .h0lyenc extension, and drop a ransom note named FOR_DECRYPT.html. The BLTC.exe variant reportedly contains a hardcoded intranet URL and ServerBaseUrl, can fall back to a network share using default credentials, and establishes persistence via a scheduled task named lockertask.
The content provides the following high-confidence indicators associated with H0lyGh0st samples: SHA-256 99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd, f8fc2445a9814ca8cf48a979bff7f182d6538f4d1ff438cf259268e8b4b76f86, and bea866b327a2dc2aa104b7ad7307008919c06620771ec3715a059e675d9f40af; ransom note FOR_DECRYPT.html; extension .h0lyenc; scheduled task lockertask; and infrastructure including xpopup.pe[.]kr, xpopup[.]com, 115.68.95[.]128, 119.205.197[.]111, and the BTLC_C.exe C2 193[.]56[.]29[.]123:8888. The content also notes analysis of H0lyGh0st-associated cryptocurrency wallets reportedly showed zero bitcoin payments in one Microsoft discussion.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Recently observed CVEs that actors used to gain access include ... remote code execution in unpatched SonicWall SMA 100 appliances... Observed CVEs used include: CVE-2021-20038
Recently observed CVEs that actors used to gain access include remote code execution in the Apache Log4j software library (known as Log4Shell)... Observed CVEs used include: CVE-2021-44228
Observed CVEs used include: ... CVE-2022-24990 ... The TerraMaster OS Unauthenticated Remote Command Execution via PHP Object Instantiation Vulnerability is characterized by scanning activity targeting a flaw...
Groups observed using it
6 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Lazarus Group has historically deployed its own ransomware families -- Maui, H0lyGh0st, and WannaCry.
the cybercriminal group which developed the H0lyGh0st ransomware is assessed to be originating from the DPRK
the cybercriminal group which developed the H0lyGh0st ransomware is assessed to be originating from the DPRK
"H0lyGh0st is a North Korea-based threat actor group... Like other ransomware groups, H0lyGh0st is a cyber extortion group... After exfiltration, H0lyGh0st encrypts the victim's data..."
Microsoft reported on Onyx Sleet’s and Storm-0530’s h0lyGhost ransomware in 2022.
This CSA is supplementary to previous reports on malicious cyber actor activities involving DPRK ransomware campaigns—namely Maui and H0lyGh0st ransomware.
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniques"Acquire Infrastructure [ T1583 ] . DPRK actors generate domains, personas, and accounts; and identify cryptocurrency services to conduct their ransomware operations."
"Purchase VPNs and VPSs [ T1583.003 ] . DPRK cyber actors will also use virtual private networks (VPNs) and virtual private servers (VPSs) or third-country IP addresses..."
Initial Access
3 techniques"...remote code execution in unpatched SonicWall SMA 100 appliances [T1190 and T1133]."
These threat actors are known to obfuscate their identities by operating under third-party foreign affiliate identities, purchase VPNs or foreign IP addresses, and use known vulnerabilities to gain network access.
"Actors also likely spread malicious code through Trojanized files for “X-Popup,” an open source messenger... [T1195]."
Persistence
1 techniqueDiscovery
1 technique"...perform reconnaissance activities, upload and download additional files and executables, and execute shell commands [T1083, T1021]."
Lateral Movement
1 technique"...perform reconnaissance activities... and execute shell commands [T1083, T1021]."
Impact
1 techniqueNorth Korean state-sponsored cyber threat actors have been targeting the healthcare sector with ransomware... The threat actors may also employ various ransomware tools, such as Maui and H0lyGh0st, and demand ransoms in the form of bitcoin.
IOCs tracked for this family
11 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a prior Lazarus-operated ransomware family historically built and controlled by the group.
H0lyGh0st is cited as a ransomware family historically deployed by Lazarus Group.
A bespoke ransomware family used by the Lazarus sub-cluster Andariel in attacks against entities in South Korea, Japan, and the U.S.
Ransomware payload associated with Storm 0530; described as opportunistic/erratic targeting of small organizations and small businesses across multiple countries.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.