Microsoft Threat Intelligence discussed two North Korea-linked clusters, Onyx Sleet and Storm-0530, with emphasis on how DPRK cyber activity mixes espionage, theft, and moonlighting-style operations. The notes describe Onyx Sleet as a long-running actor targeting defense and energy organizations, especially in the United States and India. The group has also moved into ransomware and uses malware downloaders, zero-day exploitation, D-Track remote access tooling, fake certificates, and software supply-chain activity. The episode highlights questions around Onyx Sleet cryptocurrency activity, fake Tableau certificate use, and recent attack chains involving a Chromium engine vulnerability.