On March 7, 2025, Microsoft revealed that a North Korean hacking group, tracked as Moonstone Sleet, has recently begun deploying payloads from the notorious Qilin ransomware gang in a series of targeted attacks. This development, reported by BleepingComputer, marks a significant shift in tactics for the state-sponsored group, blending cyberespionage with financially motivated ransomware operations.

Moonstone Sleet’s Sophisticated Tactics

Moonstone Sleet, previously known for its espionage-driven campaigns, has been observed using a variety of deceptive methods to infiltrate targets. According to Microsoft, the group employs trojanized software (like a malicious version of PuTTY), custom malware loaders, and even fake software development companies to lure victims. These sham entities, such as C.C. Waterfall and StarGlow Ventures, engage potential targets via platforms like LinkedIn, freelancing networks, Telegram, and email, often posing as legitimate businesses to deliver their malicious payloads.

The group’s latest move into ransomware deployment suggests a dual-purpose strategy: gathering sensitive intelligence while also generating revenue through extortion. While the use of Qilin ransomware has so far been limited in scope, it underscores Moonstone Sleet’s adaptability and growing threat profile.

Qilin Ransomware: A Growing Menace

The Qilin ransomware gang, which first emerged in August 2022 under the name Agenda, has quickly risen to prominence in the cybercrime world. With over 300 victims listed on its dark web leak site, the group has demonstrated its ability to target organizations across various sectors. Its collaboration with Moonstone Sleet highlights a troubling trend of state-sponsored actors partnering with criminal enterprises, amplifying the potential damage of their attacks.

A History of North Korean Cyber Threats

North Korea has long been associated with high-profile cyberattacks. Microsoft and the FBI previously linked the nation’s hackers to the devastating WannaCry outbreak in 2017, as well as the Holy Ghost and Maui ransomware campaigns targeting healthcare organizations. Moonstone Sleet’s adoption of Qilin ransomware builds on this legacy, blending financial gain with the regime’s broader geopolitical objectives.

What This Means for Cybersecurity

The convergence of state-backed hackers and ransomware gangs like Qilin poses a significant challenge for defenders. Organizations must remain vigilant against sophisticated social engineering tactics and ensure robust security measures—like endpoint protection and employee training—are in place to counter these evolving threats.

As of now, the full extent of Moonstone Sleet’s Qilin-powered attacks remains unclear, but this development serves as a stark reminder of the persistent and multifaceted dangers in today’s cybersecurity landscape.

Source: BleepingComputer

​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​