Connect with us

Hi, what are you looking for?



New North Korean Threat Actor Engaging in Espionage, Revenue Generation Attacks

Microsoft dives into the tactics, techniques, and procedures of North Korean threat actor Moonstone Sleet.

A new North Korean threat actor has been targeting education, defense industrial base, and software and IT organizations for espionage and revenue generation, Microsoft reports.

Tracked as Moonstone Sleet (formerly Storm-1789), the state-sponsored group has been combining tactics, techniques, and procedures (TTPs) employed by other North Korean threat actors with its unique methodologies, and has established itself as a well-resourced adversary.

“Moonstone Sleet is observed to set up fake companies and job opportunities to engage with potential targets, employ trojanized versions of legitimate tools, create a malicious game, and deliver a new custom ransomware,” Microsoft says.

When initially discovered, the group showed strong overlaps with Diamond Sleet (also known as Zinc), which is believed to be a sub-group of the notorious Lazarus, but has since moved to its own infrastructure, engaging in an expansive set of operations.

This year, Moonstone Sleet has been observed creating fake companies posing as software development and IT services organizations, including StarGlow Ventures and C.C. Waterfall, and pursuing employment in software development positions at legitimate companies.

Since August 2023, the threat actor has been using a trojanized version of PuTTY in attacks, the SplitLoader installer/dropper, malicious npm packages, a custom malicious tank game, the YouieLoad and SplitLoader malware loaders, and a custom ransomware called FakePenny.

To distribute its malicious payloads, Moonstone Sleet has been using applications such as LinkedIn and Telegram, as well as developer freelancing platforms or email.

The group has been investing numerous resources in building fake identities to support its malware delivery tactics, and used the fake companies to engage with potential targets.

Advertisement. Scroll to continue reading.

Moonstone Sleet’s malicious payloads were designed to perform network and user discovery and to collect data from browsers, and the group has also launched hands-on-keyboard commands to perform reconnaissance and credential theft.

In April 2024, the threat actor deployed the FakePenny ransomware against an organization compromised in February and demanded a 100 bitcoin (roughly $6.6 million) ransom. The ransom note closely resembled the one used in NotPetya attacks, Microsoft says.

In addition to individuals and organizations in the education, defense industrial base, and software and information technology sectors, the threat actor was also seen compromising a drone technology company and an aircraft parts manufacturer.

“Moonstone Sleet’s diverse set of tactics is notable not only because of their effectiveness, but because of how they have evolved from those of several other North Korean threat actors over many years of activity to meet North Korean cyber objectives,” Microsoft points out.

Related: Woman Accused of Helping North Korean IT Workers Infiltrate Hundreds of US Firms

Related: US Says North Korean Hackers Exploiting Weak DMARC Settings

Related: South Korea Says Presumed North Korean Hackers Breached Personal Emails of Presidential Staffer

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

More People On The Move

Expert Insights