Microsoft says Moonstone Sleet hackers are targeting both financial and cyberespionage targets using trojanized software (e.g., PuTTY), custom malware loaders, malicious games and npm packages, and fake software development companies (e.g., C.C. Waterfall, StarGlow Ventures) set up to interact with potential victims on LinkedIn, various freelancing networks, Telegram, or via email. Microsoft says a North Korean hacking group tracked as Moonstone Sleet has deployed Qilin ransomware payloads in a limited number of recent attacks. Years later, in July 2022, Microsoft and the FBI linked North Korean hackers to the Holy Ghost ransomware operation and Maui ransomware attacks targeting healthcare orgs. Moonstone Sleet is not the first North Korean-backed threat group linked to ransomware attacks in recent years. In May 2024, Microsoft also linked Moonstone Sleet to a custom FakePenny ransomware variant. Previously tracked as Storm-1789, this threat group's activity initially overlapped with other North Korean attackers like Diamond Sleet and Onyx Sleet. Qilin has claimed over 310 victims since it emerged, including automotive giant Yangfeng, American newspaper publisher Lee Enterprises, Australia's Court Services Victoria, and pathology services provider Synnovis. After a successful FakePenny ransomware attack, the North Korean hackers were observed asking for a ransom demand of $6.6 million in BTC. Since it surfaced in August 2022 under the "Agenda" name, the Qilin ransomware gang has claimed over 300 victims on its dark web leak site.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 07 Mar 2025 12:15:08 +0000