From fa7709e63c4731f96432b0845a67cf1f368765c5 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Thu, 1 Feb 2024 11:02:04 -0800
Subject: [PATCH] [threat-actors] Add Storm-0530

---
 clusters/threat-actor.json | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 7776a1b1..a99b741e 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -14613,6 +14613,25 @@
       },
       "uuid": "874860fe-5aee-4c94-aee1-2166c225c41e",
       "value": "Storm-0381"
+    },
+    {
+      "description": "H0lyGh0st is a North Korean threat actor that has been active since June 2021. They are responsible for developing and deploying the H0lyGh0st ransomware, which targets small-to-medium businesses in various sectors. The group employs \"double extortion\" tactics, encrypting data and threatening to publish it if the ransom is not paid. There are connections between H0lyGh0st and the PLUTONIUM APT group, indicating a possible affiliation.",
+      "meta": {
+        "country": "KP",
+        "refs": [
+          "https://ics-cert.kaspersky.com/publications/reports/2023/03/24/apt-attacks-on-industrial-organizations-in-h2-2022/",
+          "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a",
+          "https://blogs.blackberry.com/en/2022/08/h0lygh0st-ransomware",
+          "https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/",
+          "https://www.picussecurity.com/resource/h0lygh0st-north-korean-threat-group-strikes-back-with-new-ransomware"
+        ],
+        "synonyms": [
+          "DEV-0530",
+          "H0lyGh0st"
+        ]
+      },
+      "uuid": "47945864-c233-46e7-8b96-b427b97b0ebf",
+      "value": "Storm-0530"
     }
   ],
   "version": 298