Moonstone Sleet New North Korean Hacker Group With Unique Tricks

Microsoft has identified a new North Korean threat actor, now tracked as Moonstone Sleet (formerly Storm-1789).

This actor uses a combination of many tried-and-true techniques used by other North Korean threat actors and unique attack methodologies to target companies for its financial and cyberespionage objectives. 


Moonstone Sleet is observed to set up fake companies and job opportunities to engage with potential targets, employ trojanized versions of legitimate tools, create a malicious game, and deliver new custom ransomware. 

Moonstone Sleet uses tactics, techniques, and procedures (TTPs) also used by other North Korean threat actors over the last several years, highlighting the overlap among these groups. 

 All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo

Technical analysis

While Moonstone Sleet initially had overlaps with Diamond Sleet, the threat actor shifted to its infrastructure and attacks, establishing itself as a distinct, well-resourced North Korean threat actor.

Moonstone Sleet uses several stages of the malware delivery chain, starting with the distribution of trojanized PuTTY apps via social media and freelancing platforms.

Custom installers dropped by malicious PuTTY decrypt and execute a series of payloads that eventually become custom malware loaders.

Moonstone Sleet originally borrowed from Diamond Sleet but has now developed its infrastructure and methodologies, which it employs alongside known tradecrafts for Diamond Sleet’s concurrent operations. 

This wide-ranging campaign aims to support Moonstone Sleet’s financial and cyberespionage objectives through various activities, such as ransomware deployment, fraudulent businesses, and using IT workers.

Moonstone Sleet attack chain (Source - Microsoft)
Moonstone Sleet attack chain (Source – Microsoft)

One way this group operates is by distributing harmful NPM packages pretending to be coding test assignments for sham companies and a tank game called “DeTankWar,” which lures unsuspecting victims into believing they are interacting with blockchain developers who need funding or any other form of assistance. 

As an entry point, the malicious npm packages achieve the goal by introducing SplitLoader, while, as an entry point, the game spreads its infecting code. 

Moonstone Sleet creates an extensive public appearance comprising websites and social media profiles to validate its impersonation. 

GitHub’s cooperation with Microsoft in eradicating repositories related to this cluster’s malicious npm package delivery has indicated a shift towards gaming-related themes since February 2024.

Moonstone Sleet using CC Waterfall to email a link to their game (Source – Microsoft)

A persistent threat from Moonstone Sleet is driven by criminal and state-sponsored motivations, characterized by evolving tactics of blending cyber espionage with criminal activities. 

To steal data and intellectual property, Moonstone Sleet compromises organizations in various fields including the defense sector, technology, and education.


Here below we have mentioned all the recommendations:-

  • Leverage Microsoft Defender XDR for ransomware detection.
  • Enable controlled folder access and tamper protection.
  • Activate network protection in Microsoft Defender for Endpoint.
  • Implement credential hardening against theft techniques like LSASS access.
  • Run endpoint detection and response (EDR) in block mode.
  • Configure automated investigation and remediation mode.
  • Enable cloud-delivered protection for rapidly evolving threats.
  • Block executable files from email and enforce file restrictions.
  • Utilize advanced ransomware protection capabilities.
  • Prevent credential stealing from the local security authority subsystem.

Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.