Microsoft assesses Onyx Sleet as a North Korean threat actor conducting cyber espionage against military, defense, technology, engineering, and energy targets, with primary activity in India, South Korea, and the United States. The actor historically used spear-phishing but more recently shifted toward exploiting N-day vulnerabilities such as TeamCity CVE-2023-42793, Log4j CVE-2021-44228, Apache ActiveMQ CVE-2023-46604, Confluence CVE-2023-22515, and PaperCut CVE-2023-27350 for initial access. Its toolset includes custom RATs and backdoors such as Dtrack, Dora RAT, TigerRAT, SmallTiger, LightHand, and ValidAlpha, alongside off-the-shelf tools including Sliver, RMM tools, SOCKS proxy tools, Ngrok, masscan, Themida, and VMProtect. Microsoft notes that Onyx Sleet often uses leased VPS and compromised cloud infrastructure for C2, relies on custom encryption, obfuscation, and in-memory execution, and has been tied to attacks against aerospace, defense, education, construction, and manufacturing organizations. The reporting links Onyx Sleet to aliases including Andariel, SILENT CHOLLIMA, DarkSeoul, Stonefly, and TDrop2, and highlights its persistence as a DPRK-aligned intelligence and financial threat.