Threat Intelligence Garden

Moonstone Sleet

2 min read

Moonstone Sleet

Description

(Microsoft) Moonstone Sleet is a threat actor behind a cluster of malicious activity that Microsoft assesses is North Korean state-aligned and uses both a combination of many tried-and-true techniques used by other North Korean threat actors and unique attack methodologies. When Microsoft first detected Moonstone Sleet activity, the actor demonstrated strong overlaps with Diamond Sleet (Lazarus Group, Hidden Cobra, Labyrinth Chollima), extensively reusing code from known Diamond Sleet malware like Comebacker and using well-established Diamond Sleet techniques to gain access to organizations, such as using social media to deliver trojanized software. However, Moonstone Sleet quickly shifted to its own bespoke infrastructure and attacks. Subsequently, Microsoft has observed Moonstone Sleet and Diamond Sleet conducting concurrent operations, with Diamond Sleet still utilizing much of its known, established tradecraft.

Moonstone Sleet has an expansive set of operations supporting its financial and cyberespionage objectives. These range from deploying custom ransomware to creating a malicious game, setting up fake companies, and using IT workers.

Names

NameName-Giver
Moonstone SleetMicrosoft
Storm-1789Microsoft
Stressed PungsanDatadog Security Research

Country

Motivation

  • Information theft and espionage
  • Financial gain

First Seen

2023

Operations

Information

Other Information

Uuid

30664418-5b20-40ce-8554-d1fb27cd21e7

Last Card Change

2025-04-21

Graph View

Backlinks