North Korea-linked APT Moonstone Used Qilin Ransomware in Limited Attacks
In a recent report, Microsoft researchers revealed that a North Korea-linked Advanced Persistent Threat (APT) group tracked as Moonstone Sleet has employed the Qilin ransomware in limited attacks since February 2025. The discovery sheds light on the evolving tactics and techniques used by this highly sophisticated threat actor.
Moonstone Sleet is a previously unknown APT group, which Microsoft had been tracking for some time. However, this latest development marks the first instance where they have deployed ransomware developed by a third-party attacker-as-a-service (RaaS) operator. In contrast, Moonstone Sleet has previously used custom-built ransomware in their attacks.
Microsoft observed that Moonstone Sleet employed Qilin ransomware in limited attacks since February 2025. The group uses Qilin ransomware after previously using custom ransomware. This represents a significant shift in their tactics and highlights the adaptability of this threat actor.
In May 2024, Microsoft observed Moonstone Sleet adopting known and novel techniques to carry out financial gain and espionage. These tactics included fake companies, trojanized tools, a malicious game, and custom ransomware. The group's approach was unique and demonstrated their ability to evolve and adapt to new environments.
Moonstone Sleet threat actors target financial and cyberespionage victims using trojanized software, custom malware, malicious games, and fake companies like StarGlow Ventures and C.C. Waterfall. They engage with potential victims on LinkedIn, freelancing sites, Telegram, and email, often posing as legitimate entities to gain trust.
The group has also spread malware via a fraudulent tank game (DeTankWar) and employed FakePenny for ransomware attacks. Moreover, they attempt to infiltrate organizations by pretending to be software developers seeking employment. This level of sophistication and deception underscores the threat posed by Moonstone Sleet.
The Qilin ransomware group has been active since at least 2022 but gained significant attention in June 2024 for attacking Synnovis, a UK governmental service provider for healthcare. The group typically employs "double extortion," stealing and encrypting victims' data before threatening to expose it unless a ransom is paid.
In July 2024, Sophos’ Incident Response team observed Qilin's activity on a domain controller within an organization’s Active Directory domain, with other domain controllers also infected but impacted differently. The attackers breached the organization via compromised credentials for a VPN portal that lacked multi-factor authentication (MFA).
The threat actors conducted post-exploitation activities eighteen days after initial access, demonstrating their persistence and cunning. Recently, the Russian-speaking Qilin Ransomware group claimed responsibility for an attack on the Ministry of Foreign Affairs of Ukraine.
The group stated that they stole sensitive data such as private correspondence, personal information, and official decrees. They also declared that they had already sold some of the alleged stolen information to third parties.