Onyx Sleet / PLUTONIUM (also known as PLUTONIUM, Andariel, Silent Chollima) is a state-sponsored advanced persistent threat group attributed to North Korea (RGB, Bureau 121), active since 2015. The group primarily targets defense, energy, healthcare, financial sectors. It is tracked by MITRE ATT&CK as G0138.
Overview & Attribution
North Korean APT conducting dual espionage and ransomware operations against defense, energy, and healthcare sectors using custom implants and opportunistic vulnerability exploitation.
Onyx Sleet has been active since 2015, attributed to North Korea (RGB, Bureau 121). The group is known for targeting defense, energy, healthcare, financial using a combination of custom malware, living-off-the-land techniques, and sophisticated social engineering.
- Attribution: North Korea (RGB, Bureau 121)
- Active since: 2015
- Primary targets: defense, energy, healthcare, financial
- Also known as: PLUTONIUM, Andariel, Silent Chollima
Arsenal & Tools
Onyx Sleet employs a diverse arsenal of custom and shared tooling:
- DTrack: Custom/shared tooling used in operations
- TigerRAT: Custom/shared tooling used in operations
- EarlyRAT: Custom/shared tooling used in operations
- NukeSped: Custom/shared tooling used in operations
- Black RAT: Custom/shared tooling used in operations
Targeting & Operations
The group focuses on defense, energy, healthcare, financial sectors, with operations spanning multiple geographic regions. Their campaigns typically involve carefully crafted spearphishing, strategic watering holes, and exploitation of public-facing applications.
Onyx Sleet is characterized by persistent, long-term access operations. Once inside a target network, the group establishes multiple redundant persistence mechanisms and moves laterally to high-value systems before beginning data exfiltration.
MITRE ATT&CK Mapping
| Tactic | Technique | Usage |
|---|---|---|
| Initial Access | T1190 Exploit Public-Facing App | Log4Shell, Exchange exploitation |
| Execution | T1059.001 PowerShell | Post-exploitation automation |
| Persistence | T1543.003 Windows Service | Service-based implants |
| Credential Access | T1003.001 LSASS Memory | Credential harvesting |
| Impact | T1486 Data Encrypted for Impact | Maui/H0lyGh0st ransomware |
| C2 | T1071.001 Web Protocols | HTTP C2 |
Notable Campaigns
Onyx Sleet has been linked to multiple significant campaigns targeting defense, energy, healthcare, financial organizations. The group continuously evolves its tooling and infrastructure to evade detection while maintaining persistent access to compromised networks.
- Long-term espionage: Multi-year intrusions into government and defense networks
- Supply chain targeting: Compromise of technology providers and managed service providers
- Zero-day exploitation: Use of previously unknown vulnerabilities for initial access
Detection & Defense
- Threat intelligence integration: Monitor for known Onyx Sleet IOCs and TTPs in SIEM/EDR platforms
- Network monitoring: Detect C2 patterns associated with DTrack and related tooling
- Email security: Implement advanced phishing detection for spearphishing campaigns
- Endpoint detection: Deploy behavioral detection rules for known Onyx Sleet TTPs
- Patch management: Prioritize patching of vulnerabilities known to be exploited by this group
- Lateral movement detection: Monitor for suspicious authentication patterns and admin tool usage
Defend Against Onyx Sleet
Mjolnir Security provides specialized capabilities to detect and respond to Onyx Sleet operations.
- APT Threat Hunting Proactive hunting for Onyx Sleet TTPs, tooling artifacts, and infrastructure indicators within your environment.
- Threat Intelligence Continuous monitoring of Onyx Sleet campaigns and infrastructure changes with actionable intelligence for your defense team.
- 24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts