Moonstone Sleet deploying Qilin ransomware at a limited number of orgs
Contents
Since late February 2025, Microsoft has observed Moonstone Sleet, a North Korean state actor, deploying Qilin ransomware at a limited number of orgs. Qilin is a ransomware as a service (RaaS) payload used by multiple threat actors, both state-sponsored and cybercriminal groups.
Moonstone Sleet has previously exclusively deployed their own custom ransomware in their attacks, and this represents the first instance they are deploying ransomware developed by a RaaS operator.
Moonstone Sleet is known for combining many techniques successfully used by other North Korean threat actors as well as unique attack methodologies to target organizations for their financial and cyberespionage objectives. https://msft.it/6019qHZqx
Moonstone Sleet has previously exclusively deployed their own custom ransomware in their attacks, and this represents the first instance they are deploying ransomware developed by a RaaS operator.
Moonstone Sleet is known for combining many techniques successfully used by other North Korean threat actors as well as unique attack methodologies to target organizations for their financial and cyberespionage objectives. https://msft.it/6019qHZqx