{ "type": "bundle", "id": "bundle--ecc1cdf7-b452-4a42-b65c-96f52fbad6b9", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--a361b290-d09a-4e0e-a13d-681ca0c3dcc7", "created": "2023-03-08T12:51:43.404685Z", "modified": "2024-08-31T04:09:59.408166Z", "name": "Microsoft", "identity_class": "organization" }, { "type": "file", "spec_version": "2.1", "id": "file--60febf53-8f73-491e-8247-fc41b39817b4", "hashes": { "SHA-256": "99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd" } }, { "type": "email-addr", "spec_version": "2.1", "id": "email-addr--726afad5-d37d-4c03-a5b2-4cc6493e48a0", "value": "H0lyGh0st@mail2tor.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--4b3bf79d-b2f1-4f85-8f05-087db0ce15eb", "value": "mail2tor.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--3de8b058-bbe7-4a2c-ae4f-68133174893e", "value": "matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd.onion" }, { "type": "file", "spec_version": "2.1", "id": "file--b9a506d3-ea0c-4170-9f93-c6669a3905cb", "hashes": { "SHA-256": "541825cb652606c2ea12fd25a842a8b3456d025841c3a7f563655ef77bb67219" } }, { "type": "file", "spec_version": "2.1", "id": "file--ad06c2b4-125b-4086-a0a3-e5681fc5fb98", "hashes": { "SHA-256": "bea866b327a2dc2aa104b7ad7307008919c06620771ec3715a059e675d9f40af" } }, { "type": "file", "spec_version": "2.1", "id": "file--a2744719-bda6-4631-b6fd-d4e9b185e67e", "hashes": { "SHA-256": "f8fc2445a9814ca8cf48a979bff7f182d6538f4d1ff438cf259268e8b4b76f86" } }, { "type": "url", "spec_version": "2.1", "id": "url--d315542d-8d85-4960-9578-15ab0e8ba921", "value": "http://matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd.onion" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--8bad607f-4b68-4929-8e0a-0ed18d7003d1", "value": "193.56.29.123" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1e69046c-88e4-411f-bb9d-f9d9e65a90f0", "created": "2026-06-24T19:59:01.091001Z", "modified": "2026-06-24T19:59:01.091001Z", "name": "YARA Rule", "pattern": "rule SiennaBlue { meta: author = \"Microsoft Threat Intelligence Center (MSTIC)\" description = \"Detects Golang package, function, and source file names observed in DEV-0530 Ransomware SiennaBlue samples\" hash1 = \"f8fc2445a9814ca8cf48a979bff7f182d6538f4d1ff438cf259268e8b4b76f86\" hash2 = \"541825cb652606c2ea12fd25a842a8b3456d025841c3a7f563655ef77bb67219\" strings: $holylocker_s1 = \"C:/Users/user/Downloads/development/src/HolyLocker/Main/HolyLock/locker.go\" $holylocker_s2 = \"HolyLocker/Main.EncryptionExtension\" $holylocker_s3 = \"HolyLocker/Main.ContactEmail\" $holylocker_s4 = \"HolyLocker/communication.(*Client).GetPubkeyFromServer\" $holylocker_s5 = \"HolyLocker/communication.(*Client).AddNewKeyPairToIntranet\" $holyrs_s1 = \"C:/Users/user/Downloads/development/src/HolyGhostProject/MainFunc/HolyRS/HolyRS.go\" $holyrs_s2 = \"HolyGhostProject/MainFunc.ContactEmail\" $holyrs_s3 = \"HolyGhostProject/MainFunc.EncryptionExtension\" $holyrs_s4 = \"HolyGhostProject/Network.(*Client).GetPubkeyFromServer\" $holyrs_s5 = \"HolyGhostProject/Network.(*Client).AddNewKeyPairToIntranet\" $s1 = \"Our site : H0lyGh0stWebsite\" $s2 = \".h0lyenc\" $go_prefix = \"Go build ID:\" condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 7MB and filesize > 1MB and $go_prefix and all of ($s*) and (all of ($holylocker_*) or all of ($holyrs_*)) }", "pattern_type": "yara", "valid_from": "2022-07-14T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--144cdda6-d67f-4633-ba6f-e2d68946e3e7", "created": "2026-06-24T19:59:01.091655Z", "modified": "2026-06-24T19:59:01.091655Z", "name": "YARA Rule", "pattern": "rule SiennaPurple { meta: author = \"Microsoft Threat Intelligence Center (MSTIC)\" description = \"Detects PDB path, C2, and ransom note in DEV-0530 Ransomware SiennaPurple samples\" hash = \"99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd\" strings: $s1 = \"ForOP\\\\attack(utils)\\\\attack tools\\\\Backdoor\\\\powershell\\\\btlc_C\\\\Release\\\\btlc_C.pdb\" $s2 = \"matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd.onion\" $s3 = \"H0lyGh0st@mail2tor.com\" $s4 = \"We are . All your important files are stored and encrypted.\" $s5 = \"aic^ef^bi^abc0\" $s6 = \"---------------------------3819074751749789153841466081\" condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 7MB and filesize > 1MB and all of ($s*) }", "pattern_type": "yara", "valid_from": "2022-07-14T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--3576cb15-4a82-408e-9446-cd50c60a4c77", "hashes": { "SHA-256": "f44c6929994386ac2ae18b93f8270ec9ff8420d528c9e35a878efaa2d38fb94c" } }, { "type": "url", "spec_version": "2.1", "id": "url--33d0c881-3cf5-40f3-af67-5cd42bacfc6d", "value": "https://cloud-ex42.usaupload.com/cache/plugins/filepreviewer/219002/f44c6929994386ac2ae18b93f8270ec9ff8420d528c9e35a878efaa2d38fb94c/1100x800_cropped.jpg" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--9c4f7b20-ad54-4eed-b927-d150379c9816", "value": "cloud-ex42.usaupload.com" }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--552ec6f3-c95c-5c6f-b92d-bd469a67e493", "created": "2026-06-24T19:59:01.098515Z", "modified": "2026-06-24T19:59:01.098515Z", "name": "DEV-0530" }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--c44b28a6-6fdc-5f41-a30b-5944467016c8", "created": "2026-06-24T19:59:01.101562Z", "modified": "2026-06-24T19:59:01.101562Z", "name": "Plutonium" }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--2affbaa4-5aae-53f8-8e70-9e82df1e8160", "created": "2026-06-24T19:59:01.103878Z", "modified": "2026-06-24T19:59:01.103878Z", "name": "OnyxSleet" }, { "type": "report", "spec_version": "2.1", "id": "report--963e87ef-f6b4-4b08-b148-21ac0a691e93", "created_by_ref": "identity--a361b290-d09a-4e0e-a13d-681ca0c3dcc7", "created": "2026-06-24T19:59:01.104923Z", "modified": "2026-06-24T19:59:01.104923Z", "name": "North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware", "published": "2022-07-14T00:00:00Z", "object_refs": [ "identity--a361b290-d09a-4e0e-a13d-681ca0c3dcc7", "file--60febf53-8f73-491e-8247-fc41b39817b4", "email-addr--726afad5-d37d-4c03-a5b2-4cc6493e48a0", "domain-name--4b3bf79d-b2f1-4f85-8f05-087db0ce15eb", "domain-name--3de8b058-bbe7-4a2c-ae4f-68133174893e", "file--b9a506d3-ea0c-4170-9f93-c6669a3905cb", "file--ad06c2b4-125b-4086-a0a3-e5681fc5fb98", "file--a2744719-bda6-4631-b6fd-d4e9b185e67e", "url--d315542d-8d85-4960-9578-15ab0e8ba921", "ipv4-addr--8bad607f-4b68-4929-8e0a-0ed18d7003d1", "indicator--1e69046c-88e4-411f-bb9d-f9d9e65a90f0", "indicator--144cdda6-d67f-4633-ba6f-e2d68946e3e7", "file--3576cb15-4a82-408e-9446-cd50c60a4c77", "url--33d0c881-3cf5-40f3-af67-5cd42bacfc6d", "domain-name--9c4f7b20-ad54-4eed-b927-d150379c9816", "threat-actor--552ec6f3-c95c-5c6f-b92d-bd469a67e493", "threat-actor--c44b28a6-6fdc-5f41-a30b-5944467016c8", "threat-actor--2affbaa4-5aae-53f8-8e70-9e82df1e8160" ], "external_references": [ { "source_name": "source", "url": "https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/" } ] } ] }