← threatfilter.dev / all groups / Moonstone Sleet
Moonstone Sleet
Also known as: Storm-1789
Overview
Moonstone Sleet is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. The group previously overlapped significantly with another North Korean-linked entity, Lazarus Group, but has differentiated its tradecraft since 2023. Moonstone Sleet is notable for creating fake companies and personas to interact with victim entities, as well as developing unique malware such as a variant delivered via a fully functioning game.
Targets
Government · Private sector
Regions
Australia · Bangladesh · Bangladesh Bank · Brazil · Canada · China · Cryptocurrency exchanges in South Korea · France · Germany · Guatemala · Hong Kong · India · Japan · Sony Pictures Entertainment · South Korea · Thailand · United Kingdom · United States
Capabilities
- Supply-chain compromise — ATT&CK T1195.002
TTPs — 30 techniques across 10 tactics
Reconnaissance
-
T1589.002Email Addresses -
T1591Gather Victim Org Information -
T1598Phishing for Information -
T1598.003Spearphishing Link
Resource Development
-
T1583.001Domains -
T1583.003Virtual Private Server -
T1585.001Social Media Accounts -
T1585.002Email Accounts -
T1587Develop Capabilities -
T1587.001Malware -
T1608.001Upload Malware
Initial Access
-
T1195.002Compromise Software Supply Chain -
T1566.001Spearphishing Attachment -
T1566.003Spearphishing via Service
Execution
-
T1053.005Scheduled Task -
T1204.002Malicious File -
T1569.002Service Execution
Persistence
-
T1547.001Registry Run Keys / Startup Folder
Stealth
-
T1027Obfuscated Files or Information -
T1027.009Embedded Payloads -
T1027.013Encrypted/Encoded File -
T1140Deobfuscate/Decode Files or Information
Credential Access
-
T1003.001LSASS Memory
Discovery
Command and Control
-
T1071.001Web Protocols -
T1105Ingress Tool Transfer
Impact
Tools & malware (1)
Qilin
Reporting (1)
- Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks — Microsoft Threat Intelligence