Onyx Sleet
| Actor Type | Nation State |
|---|---|
| Attributed to Nation | North Korea |
| Directly Linked Intrusion Sets | Andariel , APT45 |
| Affiliated Intrusion Sets | Storm-0530 |
| Associated Threat Actor | North Korean Reconnaissance General Bureau 3rd Bureau |
| Associated MITRE ATT&CK Group | Andariel (G0138) |
Onyx Sleet, formerly known as PLUTONIUM, is a North Korean nation-state threat actor that has been active since at least 2014. Its primary targets include military, defense, and technology industries, with a focus on organizations in India, South Korea, and the United States. Historically, Onyx Sleet leveraged spear-phishing to compromise target environments. However, it has also been observed exploited N-day vulnerabilities, using publicly available and custom exploits for initial access.
In October 2023, Onyx Sleet exploited the TeamCity CVE-2023-42793 vulnerability to gain administrative control of a server. The threat actor maintains an extensive set of custom remote access trojans (RATs) and continually evolves its toolset to evade detection while adhering to tried and tested attack tradecraft.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
Onyx Sleet Threat Reports
Onyx Sleet uses array of malware to gather intelligence for North Korea
Following an indictment by the US Department of Justice linked to the intrusion set Microsoft track as Onyx Sleet, this report includes details of ...