Microsoft: North Korean Hackers Join Qilin Ransomware Gang
In a recent development, Microsoft has revealed that North Korean hackers affiliated with the Moonstone Sleet group have begun deploying Qilin ransomware payloads in limited numbers of attacks. This marks a significant shift for Moonstone Sleet, as it was previously known to exclusively use custom ransomware developed by the group itself.
Microsoft's threat intelligence experts have been tracking Moonstone Sleet since late February 2025 and have observed that they are now deploying Qilin ransomware at a limited number of organizations. This represents a departure from their previous tactics, which involved using custom malware loaders, trojanized software, and other tools to target financial and cyberespionage targets.
The Qilin ransomware gang, which emerged under the "Agenda" name in August 2022, has claimed over 300 victims on its dark web leak site. However, the Ransomware-as-a-Service (RaaS) operation was relatively inactive until attacks peaked towards the end of 2023.
In December 2023, Qilin affiliates began deploying one of the most advanced Linux encryptors to target VMware ESXi virtual machines. Since then, BleepingComputer has seen ransom demands ranging from $25,000 to millions, depending on the victims' size. The latest targets have included automotive giant Yangfeng, American newspaper publisher Lee Enterprises, and pathology services provider Synnovis.
The latter led to an outage that impacted several major NHS hospitals in London, forcing them to cancel hundreds of operations and appointments. In May 2024, Microsoft also linked Moonstone Sleet to a custom FakePenny ransomware variant. After a successful FakePenny ransomware attack, the North Korean hackers were observed asking for a ransom demand of $6.6 million in BTC.
Moonstone Sleet is not the first North Korean-backed threat group linked to ransomware attacks in recent years. In May 2017, the U.S. and U.K. governments blamed the Lazarus Group for the WannaCry ransomware outbreak, which brought down hundreds of thousands of computers worldwide.
Years later, in July 2022, Microsoft and the FBI linked North Korean hackers to the Holy Ghost ransomware operation and Maui ransomware attacks targeting healthcare organizations.
In another development, US charges have been filed against operators of cryptomixers linked to ransomware gangs. Additionally, a malvertising campaign has impacted over 1 million PCs, while ransomware gang encrypted network from a webcam to bypass EDR (Endpoint Detection and Response) systems.