Ethical Hacking News
North Korean hackers have joined forces with ransomware gangs, with Moonstone Sleet collaborating with Qilin to target victims worldwide. This development marks a significant escalation in the threat landscape, as North Korean-backed groups continue to expand their reach into the world of cybercrime. Learn more about this emerging threat and how you can protect yourself against it.
Moonstone Sleet, a North Korean hacking group, has joined forces with ransomware gang Qilin.The collaboration marks a significant escalation in the threat landscape and represents a shift for Moonstone Sleet from using its own custom ransomware to deploying third-party RaaS.Qilin ransomware payloads have claimed over 300 victims on the dark web, with demands ranging from $25,000 to millions.The attack on Lee Enterprises resulted in an NHS hospital outage affecting hundreds of operations and appointments.The collaboration between Moonstone Sleet and Qilin raises questions about the level of coordination between North Korean-backed threat groups.
Microsoft has recently revealed that a North Korean hacking group, tracked as Moonstone Sleet, has joined forces with a ransomware gang known as Qilin. This development marks a significant escalation in the threat landscape, as North Korean-backed groups continue to expand their reach into the world of cybercrime.
According to Microsoft's threat intelligence experts, Moonstone Sleet has been deploying Qilin ransomware payloads at a limited number of organizations since late February 2025. This represents a significant shift for the group, which was previously known for exclusively deploying its own custom ransomware in its attacks. The fact that Moonstone Sleet is now using ransomware developed by a third-party RaaS (Ransomware-as-a-Service) operator marks a new chapter in the evolution of North Korean-backed threat groups.
Moonstone Sleet's activity initially overlapped with other North Korean attackers, such as Diamond Sleet and Onyx Sleet. However, it has since switched to its own tactics and custom tooling and attack infrastructure. The group's approach now involves using trojanized software, custom malware loaders, malicious games, and npm packages to interact with potential victims on various platforms.
One of the most notable examples of Moonstone Sleet's new approach is the deployment of Qilin ransomware payloads. Since its emergence in August 2022 under the "Agenda" name, Qilin has claimed over 300 victims on its dark web leak site. However, the RaaS operation was barely active until attacks peaked towards the end of 2023. In December 2023, Qilin affiliates began deploying one of the most advanced Linux encryptors to target VMware ESXi virtual machines.
Qilin ransom demands have ranged from $25,000 to millions, depending on the victims' size. The group has claimed over 310 victims since its emergence, including automotive giant Yangfeng, American newspaper publisher Lee Enterprises, Australia's Court Services Victoria, and pathology services provider Synnovis. One notable incident involving Qilin occurred when the group attacked Lee Enterprises, resulting in an outage that impacted several major NHS hospitals in London.
The attack forced these hospitals to cancel hundreds of operations and appointments. This incident highlights the potential impact of Qilin ransomware attacks on critical infrastructure and public health services.
Moonstone Sleet's collaboration with Qilin also raises questions about the level of coordination between North Korean-backed threat groups. In May 2024, Microsoft linked Moonstone Sleet to a custom FakePenny ransomware variant. After a successful FakePenny ransomware attack, the group was observed asking for a ransom demand of $6.6 million in BTC.
This incident marks one of several instances where North Korean hackers have been linked to ransomware attacks. In May 2017, the U.S. and U.K. governments blamed the Lazarus Group for the WannaCry ransomware outbreak, which brought down hundreds of thousands of computers worldwide. Years later, in July 2022, Microsoft and the FBI linked North Korean hackers to the Holy Ghost ransomware operation and Maui ransomware attacks targeting healthcare organizations.
The involvement of Moonstone Sleet and Qilin in these high-profile incidents underscores the growing threat posed by North Korean-backed groups in the world of cybercrime. As these groups continue to evolve and expand their reach, it is essential for cybersecurity professionals and individuals to remain vigilant and take steps to protect themselves against potential attacks.
In conclusion, the collaboration between Moonstone Sleet and Qilin marks a significant escalation in the threat landscape. As North Korean-backed threat groups continue to adapt and evolve, it is crucial that we stay informed about the latest developments and take proactive measures to safeguard ourselves against these emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/North-Korean-Hackers-Join-Ransomware-Gangs-The-Rise-of-Moonstone-Sleet-and-Qilin-ehn.shtml
https://www.bleepingcomputer.com/news/security/microsoft-north-korean-hackers-now-deploying-qilin-ransomware/
https://www.linkedin.com/posts/microsoft-threat-intelligence_since-late-february-2025-microsoft-has-observed-activity-7303505954291994624-1W2t
https://attack.mitre.org/groups/G1036/
https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/
https://en.wikipedia.org/wiki/Qilin_(cybercrime_group)
Published: Fri Mar 7 09:14:17 2025 by llama3.2 3B Q4_K_M
