Threat Actor Profile-Moonstone Sleet
- CyberForce|Q
- Feb 19
- 2 min read
Moonstone Sleet is a North Korean based threat actor with close ties to related groups such as Diamond Sleet, Jade Sleet, and Onyx Sleet; however, Moonstone Sleet has differentiated itself via its ability to conduct simultaneous operations leveraging robust social engineering tactics and even developing a robust fake game (DeTankWar/DeFiTankWar/DeTankZone/TankWarsZone) to serve as a vehicle for malware deployment. Moonstone Sleet has been seen conducting highly sophisticated social engineering attacks aimed at software development and aerospace manufacturing companies including targeting educational institutions to exfiltrate data of interest to the North Korean government. Moonstone Sleet uses malicious payloads impersonating valid software as a means of compromising victim devices and conducting further reconnaissance within the target environment.
THREAT ACTOR STRATEGIC SUMMARY
Tracked Aliases | Storm-1789 |
Geolocation | North Korea |
Primary Motivation | Nation state sponsored espionage with a secondary financial objective |
Primary Targets | Education, Software Development, Government, Aerospace Manufacturing |
Affiliated Groups | Diamond Sleet, Lazarus Group |
Initial Activation | August 2023 |
THREAT ACTOR TACTICAL SUMMARY
Initial Access | Social engineering tactics to deploy malware loaders posing as legitimate software such as PuTTY or indie games |
Malware Deployment | Malware loaders posing as legitimate files use curl commands to deploy payloads such as SplitLoader and YouieLoad for further compromise, or ransomware packages such as FakePenny |
Lateral Movement | Lateral movement is limited but often done through compromised valid accounts |
Impact | Moonstone Sleet has been seen pursuing both espionage efforts as well as more traditional ransomware for financial gain |
THREAT ACTOR IOCs
A commonly observed tactic of Moonstone Sleet is to create fake companies and reach out to targets in order to conduct malware deployment via social engineering. The fake companies often relate to trending topics such as blockchain or AI and incorporate the creation of custom domains, social media accounts, and even employee personas to add legitimacy. Moonstone Sleet has been seen leveraging malware loaders such as SplitLoader and YouieLoad to create malicious services within the memory of compromised devices allowing for remote access and data collection/exfiltration.
SPLITLOADER
File Hashes
39d7407e76080ec5d838c8ebca5182f3ac4a5f416ff7bda9cbc4efffd78b4ff5
YOUIELOAD
File Hashes
Cafaa7bc3277711509dc0800ed53b82f645e86c195e85fbf34430bbc75c39c24
9863173e0a45318f776e36b1a8529380362af8f3e73a2b4875e30d31ad7bd3c1
09d152aa2b6261e3b0a1d1c19fa8032f215932186829cfcca954cc5e84a6cc38
70c5b64589277ace59db86d19d846a9236214b48aacabbaf880f2b6355ab526
MALICOUS PUTTY
File Hashes
Cb97ec024c04150ad419d1af2d1eb66b5c48ab5f345409d9d791db574981a3fb
F59035192098e44b86c4648a0de4078edbe80352260276f4755d15d354f5fc5
MALICOIUS DOMAINS
Fake Businesses
ccwaterfall[.]com
chaingrown[.]com
detankwar[.]com
starglowventures[.]com
matrixane[.]com
Organizations are recommended to block relevant IOCs and update devices to address vulnerabilities.
How can CyberForce|Q services help you address this risk?
Our team can assist your organization with the next steps for securing your environment– reach out to solutions@cyberforceq.com.
Learn more about CyberForce|Q.

Comments