The Korean Leaks – Analyzing the Hybrid Geopolitical Campaign Targeting South Korean Financial Services With Qilin RaaS
Contents
TL;DR The "Korean Leaks" campaign showcases a sophisticated supply chain attack against South Korea's financial sector. This operation combined the capabilities of a major Ransomware-as-a-Service (RaaS) group, Qilin, with potential involvement from North Korean state-affiliated actors (Moonstone Sleet) leveraging Managed Service Provider (MSP) compromise as the initial access vector.
When preparing data for the Bitdefender Threat Debrief | October 2025, we noticed a significant departure from established ransomware trends. The top-five most impacted countries are consistently the US, Canada, and major Western European nations. However, for this period, South Korea (KR) suddenly became the second most-targeted country, with 25 victims claimed in a single month.
Monthly count of ransomware victims in South Korea (September 2024 – September 2025), highlighting the unusual spike in September 2025
This anomaly prompted an immediate investigation. Our initial analysis quickly revealed that the entire surge was attributed exclusively to the Qilin ransomware group. We also observed a high …
When preparing data for the Bitdefender Threat Debrief | October 2025, we noticed a significant departure from established ransomware trends. The top-five most impacted countries are consistently the US, Canada, and major Western European nations. However, for this period, South Korea (KR) suddenly became the second most-targeted country, with 25 victims claimed in a single month.
Monthly count of ransomware victims in South Korea (September 2024 – September 2025), highlighting the unusual spike in September 2025
This anomaly prompted an immediate investigation. Our initial analysis quickly revealed that the entire surge was attributed exclusively to the Qilin ransomware group. We also observed a high …