Unmasking Moonstone Sleet: A New North Korean Cyber Threat

In the ever-evolving landscape of cybersecurity, a new player has emerged from the shadows: Moonstone Sleet, a North Korean threat actor. This group has been linked to sophisticated cyber attacks targeting various sectors, including software and IT, education, and the defense industrial base, using ransomware and bespoke malware reminiscent of the notorious Lazarus Group.

The Rise of Moonstone Sleet

According to the Microsoft Threat Intelligence team, Moonstone Sleet employs a range of deceptive tactics to engage potential victims. These include setting up fake companies and job opportunities, using trojanized versions of legitimate tools, creating malicious games, and deploying custom ransomware.

“Moonstone Sleet sets up fake companies and job opportunities to engage with targets, employs trojanized versions of legitimate tools, creates malicious games, and delivers custom ransomware,” Microsoft revealed in a recent analysis.

Initially tracked under the moniker Storm-1789, Moonstone Sleet is believed to be state-aligned, sharing tactics and infrastructure with the Lazarus Group before establishing its unique identity.

Sophisticated Attack Techniques

One of the key similarities between Moonstone Sleet and Lazarus is the reuse of code from known malware like Comebacker. This malware was first seen in January 2021 targeting security researchers and has been used by Lazarus as recently as February, embedded within seemingly benign Python and npm packages to establish contact with command-and-control (C2) servers.

Moonstone Sleet has also been known to pursue software development positions at legitimate companies, likely to generate illicit revenue or gain covert access to organizations. A notable tactic observed in August 2023 involved the use of a modified version of PuTTY, a tactic previously adopted by Lazarus in Operation Dream Job, delivered through LinkedIn and Telegram as well as freelancing platforms.

Often, targets received a .ZIP archive containing a trojanized version of putty.exe and a file with an IP address and password. If the provided credentials were entered into the PuTTY application, it would decrypt and execute an embedded payload.

Expanding Arsenal

Moonstone Sleet’s attack sequences also involve malicious npm packages delivered through LinkedIn or freelancing websites. These packages connect to actor-controlled IP addresses, dropping payloads or facilitating credential theft from the Windows Local Security Authority Subsystem Service (LSASS) process. This tactic has been linked to campaigns previously documented by Palo Alto Networks as Contagious Interview and tracked by Microsoft as Storm-1877.

Additionally, rogue npm packages have been used by another North Korean group, Jade Sleet, in the JumpCloud hack last year. Since February 2024, Moonstone Sleet has also used a malicious tank game, DeTankWar, distributed via email or messaging platforms. The group sets up fake websites and accounts on social media platforms to lend legitimacy to their campaigns.

In one instance, Moonstone Sleet used a fake company called C.C. Waterfall to contact targets, presenting the game as a blockchain-related project and offering collaboration opportunities with a download link included in the email.

Evolution of Tactics

The purported game, “delfi-tank-unity.exe,” is fitted with a malware loader called YouieLoad, capable of loading next-stage payloads in memory and creating malicious services for network and user discovery and browser data collection. Another fake company, StarGlow Ventures, was created by Moonstone Sleet for social engineering campaigns, masquerading as a legitimate software development company.

The campaign, which spanned from January to April 2024, included emails with tracking pixels to determine which recipients engaged with the messages, potentially for future revenue generation opportunities.

The Ransomware Threat

Moonstone Sleet’s latest tool is a custom ransomware variant called FakePenny, deployed against a defense technology company in April 2024 with a $6.6 million ransom demand in Bitcoin. The use of ransomware is a tactic straight out of Andariel’s playbook, another Lazarus sub-group known for ransomware families like H0lyGh0st and Maui.

Staying Vigilant

Given the diverse and evolving tactics of Moonstone Sleet, it’s crucial for organizations to adopt necessary security measures to defend against such attacks. Microsoft urges software companies to be vigilant against supply chain attacks, a favored strategy of North Korean hacking groups.

“Moonstone Sleet’s diverse tactics are notable for their effectiveness and evolution from other North Korean threat actors to meet cyber objectives,” Microsoft stated.

The disclosure follows South Korea’s accusation that the Lazarus Group stole 1,014 gigabytes of data and documents, including personal and financial records, from a court network between January 2021 and February 2023.

Stay Informed

Found this article interesting? Follow us on Facebook and LinkedIn for more exclusive content.


By creating awareness about the emerging threat of Moonstone Sleet, we can better prepare and protect against these sophisticated cyber attacks. Stay informed, stay secure, and stay one step ahead of cyber threats with CybrogenIT.

Leave a Reply

Your email address will not be published. Required fields are marked *