A North Korean state-sponsored hacking group, tracked as Moonstone Sleet, has been deploying Qilin ransomware in a limited number of attacks since late February 2025. This marks the first instance of Moonstone Sleet leveraging ransomware developed by a Ransomware-as-a-Service (RaaS) operator instead of its custom-built payloads.

Previously known as Storm-1789, Moonstone Sleet initially shared operational tactics with other North Korean threat groups like Diamond Sleet and Onyx Sleet, reports BleepingComputer.

However, it has since developed its own attack strategies, including trojanised software such as PuTTY, custom malware loaders, malicious gaming applications, and compromised npm packages.

The group also employs fake software development firms, such as C.C. Waterfall and StarGlow Ventures, to lure victims through LinkedIn, freelancing platforms, Telegram, and email.

The Qilin ransomware gang, which emerged under the name ‘Agenda’ in August 2022, has claimed over 310 victims on its dark web leak site. Although initially dormant, its attacks peaked in late 2023 when affiliates began deploying a sophisticated Linux encryptor targeting VMware ESXi virtual machines.

Since late February 2025, Microsoft has observed Moonstone Sleet, a North Korean state actor, deploying Qilin ransomware at a limited number of orgs. Qilin is a ransomware as a service (RaaS) payload used by multiple threat actors, both state-sponsored and cybercriminal groups.
— Microsoft Threat Intelligence (@MsftSecIntel) March 6, 2025

Notable targets include automotive manufacturer Yangfeng, newspaper publisher Lee Enterprises, Australia’s Court Services Victoria, and pathology provider Synnovis. The attack on Synnovis led to severe disruptions in major NHS hospitals in London, resulting in the cancellation of hundreds of medical procedures.

Before using Qilin, Moonstone Sleet was linked to FakePenny ransomware, a custom variant deployed in May 2024. In one documented attack, the hackers demanded a ransom of $6.6 million in Bitcoin, This aligns with North Korea’s increasing reliance on cybercrime to fund its operations, particularly through ransomware campaigns.

North Korean-backed threat groups are engaging in ransomware operations. The infamous Lazarus Group was behind the devastating 2017 WannaCry ransomware outbreak, which crippled hundreds of thousands of computers worldwide. More recently, in July 2022, Microsoft and the FBI linked North Korean hackers to the Holy Ghost and Maui ransomware campaigns targeting healthcare organisations.

In the News: Cybercriminals use fake DeepSeek sites to hijack Windows PCs