Ethical Hacking News
The Qilin Ransomware Group Has Escalated its Attacks on South Korean Businesses, Resulting in a Massive Data Heist and Leaving Experts to Wonder About the True Nature of this Sophisticated Supply Chain Attack. In this article, we will delve into the details of the "Korean Leaks" data heist, an operation that has raised eyebrows among cybersecurity experts due to its departure from established tactics and intriguing use of propaganda and political language.
The Qilin ransomware group has been linked to a sophisticated supply chain attack on South Korean businesses, dubbed "Korean Leaks," which resulted in the theft of over 1 million files and 2 TB of data. The attack was facilitated by a managed service provider (MSP) breach and employed propaganda and political language to frame its operation as a public-service effort to expose systemic corruption. Experts believe Qilin's origins are likely Russian, but its use of an affiliate model suggests more complex true motives behind its actions. A North Korean threat actor, Moonstone Sleet, is believed to be affiliated with Qilin and has deployed custom ransomware variants in the past. The "Korean Leaks" campaign involved three publication waves, resulting in the theft of sensitive information from numerous businesses between September 14 and October 4, 2025.
The world of cyber attacks is constantly evolving, with new players emerging and old tactics being reimagined. One group that has caught the attention of cybersecurity experts in recent months is the Qilin ransomware group, known for its sophisticated supply chain attack on South Korean businesses. The operation, dubbed "Korean Leaks," resulted in a massive data heist, with over 1 million files and 2 TB of data stolen from 28 victims.
According to Bitdefender, the Romanian cybersecurity company that first discovered the operation, Qilin's deployment of ransomware was facilitated by a managed service provider (MSP) breach. The group's use of propaganda and political language in its communication with victims further adds to the complexity of this attack. Instead of using traditional tactics such as extortion or threatening to release sensitive information unless demands are met, Qilin chose to frame its operation as a public-service effort to expose systemic corruption.
This departure from established tactics has left experts wondering about the true nature of this sophisticated supply chain attack. According to Bitdefender, Qilin's origins are likely Russian, with the group describing itself as "political activists" and "patriots of the country." However, its use of a traditional affiliate model, which involves recruiting diverse groups of hackers to carry out attacks in return for a share of up to 20% of the illicit payments, suggests that the true motives behind Qilin's actions may be more complex.
One particular affiliate of note is a North Korean threat actor tracked as Moonstone Sleet, which has deployed custom ransomware variants in the past. The targeting of South Korean businesses aligns with Qilin's strategic objectives, but the group's use of propaganda and political language raises questions about its true intentions.
Further analysis by Bitdefender found that all 25 cases of Qilin-related ransomware attacks on South Korean victims were attributed exclusively to the Qilin ransomware group, with 24 of the victims in the financial sector. The campaign was given the moniker "Korean Leaks" by the attackers themselves, and it took place over three publication waves, resulting in the theft of sensitive information from numerous businesses.
The first wave of the campaign, which comprised 10 victims from the financial management sector, was published on September 14, 2025. The second wave, comprising nine victims, was published between September 17 and 19, 2025. The third wave, also comprising nine victims, was published between September 28 and October 4, 2025.
New Sturnus Android Trojan Quietly Captures Encrypted Chats and Hijacks Devices
ThreatsDay Bulletin: 0-Days, LinkedIn Spies, Crypto Crimes, IoT Flaws and New Malware Waves
ShadowRay 2.0 Exploits Unpatched Ray Flaw to Build Self-Spreading GPU Cryptomining Botnet
Grafana Patches CVSS 10.0 SCIM Flaw Enabling Impersonation and Privilege Escalation
Matrix Push C2 Uses Browser Notifications for Fileless, Cross-Platform Phishing Attacks
Popular Resources
See Every Threat. Control Every Endpoint. All in One ThreatLocker Platform.
[Download] Learn How Browser-Level Protection Stops Modern Threats
Join Okta Experts Live — Discover How to Stop Identity Threats Before They Strike
Get the Full 2025 Browser Security Report — Protect Your Enterprise's Most Overlooked Endpoint
Cybersecurity Webinars
How Smart Teams Patch in Hours
Learn How to Build a Hybrid Patch Model That Combines Speed and Safety
Your patch pipeline shouldn't be a gamble — build the guardrails that keep speed from becoming risk.
Register
Securing Cloud Infrastructure
A Practical Guide to Balancing Compliance, Resilience, and Cloud Agility
Learn how to protect cloud workloads, control access, and meet compliance requirements — without slowing innovation.
Register
Cybersecurity Resources
5 Ways to Secure Containers from Build to RuntimeContainers move fast. They're created and removed in seconds, but the vulnerabilities they introduce can stick around. Learn 5 core practices to help engineering and security teams manage container risk at scale.
Is identity the weakest link in your agentic AI adoption?Operationalize AI security by protecting the credentials & identities AI agents depend on.
A 3-Track Model for Securing AI: Protect, Utilize, and Govern at ScaleLearn how SOCs, CISOs, and engineers are defending GenAI in real-world deployments.
Discover How to Make CTEM a Reality in 2025: Download Your Guide Now!Ensure CTEM success! Download our ebook for practical tips on using XM Cyber to implement your exposure management strategy.
Expert Insights Articles
Videos
Smarter Access, Better Protected Data, Faster Audits: Enhancing Your Insider Threat Defense
The Problem With 'Trust but Verify' Is That We Don't Verify
Beyond Chrome: Risks of Malicious Extensions Across Traditional and AI Browsers
Identity Migration: Why it Feels Scary, and Necessary Steps for a Smooth Transition
Get Latest News in Your Inbox
Get the latest news, expert insights, exclusive resources, and strategies from industry leaders — all for free.
Email
Connect with us!
935,000 Followers
680,000 Followers
24,500 Subscribers
142,500 Followers
1,890,500 Followers
11,000 Followers
Company
About THN
Advertise with us
Contact
Pages
Webinars
Privacy Policy
RSS Feeds
Contact Us
Related Information:
https://www.ethicalhackingnews.com/articles/The-Rise-of-Qilin-Ransomware-Unpacking-the-Korean-Leaks-Data-Heist-ehn.shtml
Published: Wed Nov 26 09:25:19 2025 by llama3.2 3B Q4_K_M
