Onyx Sleet uses array of malware to gather intelligence for North Korea
Contents
On July 25, 2024, the United States Department of Justice (DOJ) indicted an individual linked to the North Korean threat actor that Microsoft tracks as Onyx Sleet. Microsoft Threat Intelligence collaborated with the Federal Bureau of Investigation (FBI) in tracking activity associated with Onyx Sleet. We will continue to closely monitor Onyx Sleet’s activity to assess changes following the indictment.
First observed by Microsoft in 2014, Onyx Sleet has conducted cyber espionage through numerous campaigns aimed at global targets with the goal of intelligence gathering. More recently, it has expanded its goals to include financial gain. This threat actor operates with an extensive set of custom tools and malware, and regularly evolves its toolset to add new functionality and to evade detection, while keeping a fairly uniform attack pattern. Onyx Sleet’s ability to develop a spectrum of tools to launch its tried-and-true attack chain makes it a persistent threat, particularly to …
First observed by Microsoft in 2014, Onyx Sleet has conducted cyber espionage through numerous campaigns aimed at global targets with the goal of intelligence gathering. More recently, it has expanded its goals to include financial gain. This threat actor operates with an extensive set of custom tools and malware, and regularly evolves its toolset to add new functionality and to evade detection, while keeping a fairly uniform attack pattern. Onyx Sleet’s ability to develop a spectrum of tools to launch its tried-and-true attack chain makes it a persistent threat, particularly to …
IoC
0837dd54268c373069fc5c1628c6e3d75eb99c3b3efc94c45b73e2cf9a6f3207
109.248.150.147
147.78.149.201
162.19.71.175
1b88b939e5ec186b2d19aec8f17792d493d74dd6ab3d5a6ddc42bfe78b01aff1
213.139.205.151
29c6044d65af0073424ccc01abcb8411cbdc52720cac957a3012773c4380bab3
3098e6e7ae23b3b8637677da7bfc0ba720e557e6df71fa54a8ef1579b6746061
45.155.37.101
6624c7b8faac176d1c1cb10b03e7ee58a4853f91
7339cfa5a67f5a4261c18839ef971d7f96eaf60a46190cab590b439c71c4742b
76cb5d1e6c2b6895428115705d9ac765
84.38.134.56
868a62feff8b46466e9d63b83135a7987bf6d332c13739aa11b747b3e2ad4bbf
8daa6b20caf4bf384cc7912a73f243ce6e2f07a5cb3b3e95303db931c3fe339f
f1662bee722a4e25614ed30933b0ced17b752d99fae868fbb326a46afa2282d5
f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c
fed94f461145681dc9347b382497a72542424c64b6ae6fcf945f4becd2d46c32
http://84.38.134.56/procdump.gif
109.248.150.147
147.78.149.201
162.19.71.175
1b88b939e5ec186b2d19aec8f17792d493d74dd6ab3d5a6ddc42bfe78b01aff1
213.139.205.151
29c6044d65af0073424ccc01abcb8411cbdc52720cac957a3012773c4380bab3
3098e6e7ae23b3b8637677da7bfc0ba720e557e6df71fa54a8ef1579b6746061
45.155.37.101
6624c7b8faac176d1c1cb10b03e7ee58a4853f91
7339cfa5a67f5a4261c18839ef971d7f96eaf60a46190cab590b439c71c4742b
76cb5d1e6c2b6895428115705d9ac765
84.38.134.56
868a62feff8b46466e9d63b83135a7987bf6d332c13739aa11b747b3e2ad4bbf
8daa6b20caf4bf384cc7912a73f243ce6e2f07a5cb3b3e95303db931c3fe339f
f1662bee722a4e25614ed30933b0ced17b752d99fae868fbb326a46afa2282d5
f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c
fed94f461145681dc9347b382497a72542424c64b6ae6fcf945f4becd2d46c32
http://84.38.134.56/procdump.gif