Recent cybersecurity reports reveal that a North Korean hacking group, identified as Moonstone Sleet, has begun deploying Qilin ransomware in a series of targeted attacks. This marks a significant shift in their tactics, as they have traditionally relied on their own custom ransomware tools. The collaboration with a Ransomware-as-a-Service (RaaS) operator highlights an evolving threat landscape.

Moonstone Sleet's New Tactics

Since late February 2025, Moonstone Sleet has been observed utilizing Qilin ransomware against a limited number of organizations. This group, previously known as Storm-1789, has a history of overlapping activities with other North Korean threat actors such as Diamond Sleet and Onyx Sleet. However, they have since developed their own unique methods and infrastructure.

Targeting Strategies

Moonstone Sleet's operations focus on both financial and cyberespionage objectives. They employ a variety of tactics, including the use of trojanized software like PuTTY, custom malware loaders, and malicious npm packages. Additionally, they create fake software development companies, such as C.C. Waterfall and StarGlow Ventures, to engage with potential victims through platforms like LinkedIn, freelancing networks, Telegram, and email.

  • Trojanized Software: Utilizes compromised applications to infiltrate systems.
  • Fake Companies: Establishes fraudulent businesses to lure targets.

The Rise of Qilin Ransomware

The Qilin ransomware group, active since August 2022, has claimed over 300 victims on its dark web leak site. Although initially inactive, their attacks surged towards the end of 2023. In December 2023, Qilin affiliates began deploying sophisticated Linux encryptors to compromise VMware ESXi virtual machines.

Notable Incidents

Qilin's ransom demands vary significantly, ranging from $25,000 to millions, depending on the victim's size. The group has targeted high-profile entities, including automotive giant Yangfeng, Lee Enterprises, Australia's Court Services Victoria, and Synnovis. The attack on Synnovis led to significant disruptions in NHS hospitals across London, resulting in numerous canceled operations and appointments.

  • High-Profile Targets: Includes major corporations and public services.
  • Significant Impact: Causes operational disruptions and financial losses.

Historical Context and Future Implications

Moonstone Sleet's involvement with ransomware is not unprecedented. In May 2024, they were linked to a custom FakePenny ransomware variant, demanding $6.6 million in Bitcoin. North Korean-backed groups have a history of ransomware attacks, with the Lazarus Group being blamed for the infamous WannaCry outbreak in 2017. More recently, in July 2022, North Korean hackers were associated with the Holy Ghost and Maui ransomware operations targeting healthcare organizations.

The link has been copied!