Security Intelligence
Loading table of contents...
Moonstone Sleet, a threat actor attributed to North Korea, has recently been observed deploying Qilin ransomware in a limited number of attacks conducted since February 2025.
Moonstone Sleet is using social media apps, like Telegram and LinkedIn, as well as email communications, to interact with both financial and cyber espionage targets.
The targets are then tricked into downloading and installing trojanized software, games, malware loaders, and NPM packages that provide Moonstone Sleet with the initial access it leverages to ultimately deploy Qilin ransomware.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
Moonstone Sleet was previously known to deploy its own custom ransomware. These attacks are the first time the group has been observed deploying payloads offered by a Ransomware-as-a-Service (RaaS) like Qilin.
Besides these attacks, the Qilin RaaS has been relatively inactive since December 2023 when its affiliates were observed deploying an advanced Linux encryptor designed to target VMware ESXi virtual machines.
Source: Bleeping Computer
Analysis
While this may be the first time that Moonstone Sleet has relied on a RaaS to encrypt target systems in the hopes of securing a ransom payment, other NK threat actors have been previously observed collaborating with a RaaS.
For example, in October 2024, the deployment of Play ransomware was observed shortly after North Korea’s Reconnaissance General Bureau (RGB), codenamed Andariel or Jumpy Pisces, gained initial access to a target and deployed a bespoke backdoor called Dtrack. This infiltration was immediately followed by the deployment of Play ransomware via the same compromised user account.
It’s unclear whether Andariel deployed the Play ransomware themselves, or if they acted as an initial access broker and simply sold their access to a Play affiliate who subsequently used it to deploy ransomware. Regardless, there appears to be a trend among North Korean cyber actors either collaborating with or directing using ransomware provided by RaaS providers.
North Korea-linked threat actors have been known to dabble with ransomware. One of the most famous incidents was the WannaCry ransomware campaign launched in 2017. This attack spread quickly across networks using an exploit originally developed by the U.S. National Security Agency (NSA) and later leaked by the hacking group Shadow Brokers. The malware encrypted users' files and demanded ransom payments in Bitcoin for decryption.
WannaCry infected over 200,000 computers in 150 countries, severely impacting industries, healthcare systems (notably the NHS in the UK), and governmental agencies, despite being effectively stopped by a skilled cybersecurity researcher who discovered a “kill switch” in the ransomware’s code. The attack was later attributed to the North Korea-linked actor called Lazarus, who the U.S. and other Western intelligence agencies believe executed the attack to generate revenue for the regime.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for emerging threats emanating from nation-state threat groups such as Moonstone Sleet. Field Effect MDR users are automatically notified if activity associated with these groups is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
While defending against ransomware attacks may seem intimidating at first, even a few simple, easy-to-implement best practices can help prevent attacks. Field Effect recommends that organizations adopt the following best practices:
Back up your data
Regular backups of sensitive and important information can help ensure business continuity during a ransomware attack. These backups should be stored somewhere different than the operational network so that they will not be encrypted during an attack, and thus can be used to restore devices.
Update and patch software
Regular patching, updating, and maintenance helps protect against, or eliminate, known cybersecurity vulnerabilities in IT systems and is one of the most important steps you can take to improve your security.
Protect systems connected to the internet
Using a DNS firewall limits access to known malicious websites, helping to defend against potential social engineering attacks while blocking malicious code and securing access to cloud apps and corporate websites. Leveraging a virtual private network (VPN) can also help, giving workers a secure means of accessing corporate data or otherwise connecting to networks from remote locations.
Secure IoT Devices
It is imperative for organizations to ensure that IoT devices are secured and monitored alongside traditional endpoints. Implementing network segmentation, regular vulnerability assessments, and extending EDR capabilities to encompass a wider array of devices are essential steps in mitigating such sophisticated attack vectors.
Develop a culture of cybersecurity
Organizations should train employees to watch for and understand the tricks attackers use, spot and avoid potential phishing links, and flag requests for personal information or credentials.
Strong password policies, password managers, and multifactor authentication (MFA) also make it more difficult for threat actors to guess, brute force, or use stolen credentials.
Use a cybersecurity solution
Staying ahead of ransomware demands a view into what’s happening across your IT environment. Cybersecurity solutions like Field Effect MDR that detect and respond to suspicious activity across networks, end-user devices, and cloud services can help identify and mitigate potential threats early.
