Moonstone Sleet
Contents
Moonstone Sleet is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. The group previously overlapped significantly with another North Korean-linked entity, Lazarus Group, but has differentiated its tradecraft since 2023. Moonstone Sleet is notable for creating fake companies and personas to interact with victim entities, as well as developing unique malware such as a variant delivered via a fully functioning game.[1]
| Name | Description |
|---|---|
| Storm-1789 |
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
Moonstone Sleet registered domains to develop effective personas for fake companies used in phishing activity.[1] |
| .003 | Acquire Infrastructure: Virtual Private Server |
Moonstone Sleet registered virtual private servers to host payloads for download.[1] |
||
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Moonstone Sleet used curl to connect to adversary-controlled infrastructure and retrieve additional payloads.[1] |
| …
| Name | Description |
|---|---|
| Storm-1789 |
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
Moonstone Sleet registered domains to develop effective personas for fake companies used in phishing activity.[1] |
| .003 | Acquire Infrastructure: Virtual Private Server |
Moonstone Sleet registered virtual private servers to host payloads for download.[1] |
||
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Moonstone Sleet used curl to connect to adversary-controlled infrastructure and retrieve additional payloads.[1] |
| …