Listen to this Post
In February 2025, Microsoft uncovered a significant shift in the tactics of Moonstone Sleet, a North Korea-linked Advanced Persistent Threat (APT) group previously known as Storm-1789. This group, notorious for its cyber-espionage and financial operations, has begun using Qilin ransomware in targeted attacks. This marks a departure from their previous reliance on custom-built ransomware. Microsoft’s findings highlight that Moonstone Sleet’s activities have evolved significantly, leveraging new tools and techniques in their increasingly complex cyberattacks.
Moonstone Sleet’s Ransomware Shift
Moonstone Sleet, a group tied to North Korea’s state-backed hacking operations, has historically used its own custom ransomware for espionage and financial gain. In February 2025, Microsoft discovered that this group had expanded its toolkit by deploying Qilin ransomware in a select number of attacks. This marks a notable shift, as this ransomware is associated with a Ransomware-as-a-Service (RaaS) operator rather than their previous custom solutions.
The group’s operations date back to May 2024 when Microsoft first observed Moonstone Sleet employing a combination of new and old techniques in their campaigns. These included the use of fake companies, trojanized tools, a malicious game, and their bespoke ransomware. While Moonstone Sleet had initially been linked to other North Korean hacker groups, they have since evolved their infrastructure and attack methods, focusing on financial institutions and cyber-espionage targets.
Moonstone Sleet’s infiltration methods are multifaceted, utilizing compromised software, fraudulent businesses like StarGlow Ventures and C.C. Waterfall, and online platforms like LinkedIn, Telegram, and freelancing sites to engage victims. Their operations have also included the deployment of a fake tank game, DeTankWar, to spread malware. Additionally, they have used LinkedIn profiles posing as software developers seeking jobs to further their infiltration.
The Qilin ransomware, which has been active since at least 2022, has gained significant attention after its use in a 2024 attack on Synnovis, a UK healthcare service provider. This group is known for employing the “double extortion” model, encrypting data and threatening to leak it unless a ransom is paid. Other notable attacks include the breach of Ukraine’s Ministry of Foreign Affairs, where sensitive data was allegedly stolen and sold to third parties.
What Undercode Say: An Analysis of Moonstone Sleet’s New Strategy
Moonstone Sleet’s recent shift to using Qilin ransomware introduces several key insights into the evolving landscape of cybercrime, particularly with state-backed actors from North Korea. The decision to adopt RaaS-operated ransomware is both strategic and symbolic. On one hand, it indicates that Moonstone Sleet is broadening its methods, potentially outsourcing certain aspects of its operations to ransomware-as-a-service providers. This allows them to focus on their core objective—espionage and financial gains—while leveraging the capabilities of external threat actors.
What is particularly striking is the extent to which Moonstone Sleet has refined its social engineering tactics. By creating fake companies like StarGlow Ventures and C.C. Waterfall, and engaging victims on platforms such as LinkedIn and Telegram, the group has blurred the lines between legitimate business practices and cybercriminal operations. These advanced tactics make it difficult for potential targets to identify these attacks early, leading to successful infiltration.
Furthermore, Moonstone Sleet’s use of multiple tools and methods, including trojanized software, malicious games, and now ransomware, reveals a more comprehensive and diversified approach to cybercrime. The group’s ability to deploy various attack vectors ensures that they can bypass different forms of security defenses, making them a formidable adversary.
Another notable shift is the group’s increased reliance on ransomware for financial extortion, a tactic that aligns with the “double extortion” model. By not only encrypting data but also threatening to expose sensitive information, Moonstone Sleet amplifies the pressure on victims to comply with ransom demands. This method increases the likelihood of financial payouts while furthering their espionage efforts by stealing and selling valuable data.
The implications of these activities are significant. The integration of Qilin ransomware into Moonstone Sleet’s repertoire reflects a growing trend among state-sponsored threat actors to adopt more sophisticated and flexible attack strategies. As the group continues to innovate and refine their methods, they pose an increasingly complex challenge to cybersecurity professionals and organizations worldwide.
Fact Checker Results
- Qilin Ransomware: The attack on Synnovis in 2024 is well-documented. Microsoft’s observations of Moonstone Sleet using Qilin ransomware to target healthcare providers and government entities align with known patterns of the group’s behavior.
- Moonstone Sleet’s Use of RaaS: The group’s adoption of a RaaS-operated ransomware is a confirmed change from their previous tactics, marking a notable evolution in their strategy.
- Ukraine’s Ministry of Foreign Affairs Attack: The ransomware attack on Ukraine’s Ministry of Foreign Affairs, with claims of stolen sensitive data, has been reported by multiple cybersecurity agencies and aligns with Moonstone Sleet’s known objectives.
References:
Reported By: https://securityaffairs.com/175178/apt/north-korea-linked-apt-moonstone-used-qilin-ransomware.html
Extra Source Hub:
https://www.reddit.com
Wikipedia: https://www.wikipedia.org
Undercode AI
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2
