North Korea-linked APT Moonstone used Qilin ransomware in limited attacks

Pierluigi Paganini March 10, 2025

Microsoft researchers reported that North Korea-linked APT tracked as Moonstone Sleet has employed the Qilin ransomware in limited attacks.

Microsoft observed a North Korea-linked APT group, tracked as Moonstone Sleet, deploying Qilin ransomware in limited attacks since February 2025. The APT group uses Qilin ransomware after previously using custom ransomware.

“Moonstone Sleet has previously exclusively deployed their own custom ransomware in their attacks, and this represents the first instance they are deploying ransomware developed by a RaaS operator.” Microsoft wrote on X.

In May 2024, Microsoft observed the North Korea-linked group “Moonstone Sleet” (Previously tracked as Storm-1789) using known and novel techniques like fake companies, trojanized tools, a malicious game, and custom ransomware for financial gain and espionage.

Storm-1789, initially linked to other North Korean threat groups, has since adopted unique tactics, tools, and attack infrastructure.

Moonstone Sleet threat actors target financial and cyberespionage victims using trojanized software, custom malware, malicious games, and fake companies like StarGlow Ventures and C.C. Waterfall to engage victims on LinkedIn, freelancing sites, Telegram, and email.

The APT group has also spread malware via a fraudulent tank game (DeTankWar) and engaged in ransomware attacks using FakePenny. Additionally, they attempt to infiltrate organizations by posing as software developers seeking employment.

The Qilin ransomware group has been active since at least 2022 but gained attention in June 2024 for attacking Synnovis, a UK governmental service provider for healthcare. The group typically employs “double extortion,” stealing and encrypting victims’ data, then threatening to expose it unless a ransom is paid. In July 2024, Sophos’ Incident Response team observed Qilin’s activity on a domain controller within an organization’s Active Directory domain, with other domain controllers also infected but impacted differently.

The attackers breached the organization via compromised credentials for a VPN portal that lacked multi-factor authentication (MFA). The threat actors conducted post-exploitation activities eighteen days after initial access.

Recently, the Russian-speaking Qilin Ransomware group claimed responsibility for an attack on the Ministry of Foreign Affairs of Ukraine.

The group stated that it stole sensitive data such as private correspondence, personal information, and official decrees. The ransomware group declared that they had already sold some of the alleged stolen information to third parties.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Qilin ransomware)

Pierluigi Paganini July 12, 2025

McDonald’s job app exposes data of 64 Million applicants

Pierluigi Paganini July 11, 2025