HQ/EMEAFind out how we can help your business
One of the most notorious North Korean hacking groups, Moonstone Sleet, has allegedly utilised the Qilin ransomware payload in recent malicious activities.
Microsoft claims this North Korean state actor has been spreading Qilin ransomware at several organisations since last month.
These claims are a new development in the North Korean hacking spree. The group has previously only used proprietary ransomware in its attacks, indicating that this is the first time it has used malware created by a RaaS operator.
This threat group, previously known as Storm-1789, initially shared activity with other North Korean attackers, like Onyx Sleet and Diamond Sleet. However, it has subsequently adopted its strategies, modified tooling, and attack infrastructure.
Moonstone Sleet is a threat actor that employs every tool necessary to execute its campaign.
The Moonstone Sleet hackers use trojanised software, custom malware loaders, malicious games and npm packages, and fake software development companies to interact with potential victims.
Some of the most common vectors for its attacks include LinkedIn, freelancing networks, Telegram, and emails.
On the other hand, the Qilin ransomware gang has claimed over 300 victims on its dark web leak site since it first appeared in August 2022 under the name “Agenda”. However, the group’s Ransomware-as-a-Service (RaaS) operation was barely operational until its attacks increased significantly a couple of years ago.
In addition, In December 2023, Qilin affiliates began implementing one of the most advanced Linux encryptors for VMware ESXi virtual machines. Researchers also noted that Qilin’s ransom demands range from at least $25,000 to millions of dollars, depending on the magnitude of the victims.
Since its inception, Qilin has claimed over 310 victims, including automotive manufacturer Yangfeng, American newspaper publisher Lee Enterprises, Australia’s Court Services Victoria, and pathology services company Synnovis.
Still, Moonstone Sleet is not the only North Korean state-sponsored threat group associated with collaborated ransomware assaults in recent years, as it is common for North Korean hackers to use each other’s tools to execute an attack.
Experts suspect that these groups will continue to cooperate to target and compromise more targets. Organisations should bolster their cybersecurity protocols to avoid becoming new victims of these North Korean hacking groups.
