Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

North Korea-linked APT Moonstone used Qilin ransomware in limited attacks

Microsoft researchers reported that North Korea-linked APT tracked as Moonstone Sleet has employed the Qilin ransomware in limited attacks. Microsoft observed a North Korea-linked APT group, tracked as Moonstone Sleet, deploying Qilin ransomware in limited attacks since February 2025. The APT group uses Qilin ransomware after previously using custom ransomware. “Moonstone Sleet has previously exclusively […]

Moonstone Sleet APT Qilin ransomware

Microsoft researchers reported that North Korea-linked APT tracked as Moonstone Sleet has employed the Qilin ransomware in limited attacks.

Microsoft observed a North Korea-linked APT group, tracked as Moonstone Sleet, deploying Qilin ransomware in limited attacks since February 2025. The APT group uses Qilin ransomware after previously using custom ransomware.

“Moonstone Sleet has previously exclusively deployed their own custom ransomware in their attacks, and this represents the first instance they are deploying ransomware developed by a RaaS operator.” Microsoft wrote on X.

In May 2024, Microsoft observed the North Korea-linked group “Moonstone Sleet” (Previously tracked as Storm-1789) using known and novel techniques like fake companies, trojanized tools, a malicious game, and custom ransomware for financial gain and espionage.

Storm-1789, initially linked to other North Korean threat groups, has since adopted unique tactics, tools, and attack infrastructure.

Moonstone Sleet threat actors target financial and cyberespionage victims using trojanized software, custom malware, malicious games, and fake companies like StarGlow Ventures and C.C. Waterfall to engage victims on LinkedIn, freelancing sites, Telegram, and email.

Moonstone Sleet APT

The APT group has also spread malware via a fraudulent tank game (DeTankWar) and engaged in ransomware attacks using FakePenny. Additionally, they attempt to infiltrate organizations by posing as software developers seeking employment.

The Qilin ransomware group has been active since at least 2022 but gained attention in June 2024 for attacking Synnovis, a UK governmental service provider for healthcare. The group typically employs “double extortion,” stealing and encrypting victims’ data, then threatening to expose it unless a ransom is paid. In July 2024, Sophos’ Incident Response team observed Qilin’s activity on a domain controller within an organization’s Active Directory domain, with other domain controllers also infected but impacted differently.

The attackers breached the organization via compromised credentials for a VPN portal that lacked multi-factor authentication (MFA). The threat actors conducted post-exploitation activities eighteen days after initial access.

Recently, the Russian-speaking Qilin Ransomware group claimed responsibility for an attack on the Ministry of Foreign Affairs of Ukraine.

The group stated that it stole sensitive data such as private correspondence, personal information, and official decrees. The ransomware group declared that they had already sold some of the alleged stolen information to third parties.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Qilin ransomware)