Microsoft Uncovers North Korean Group’s Cyber Espionage and Financial Attacks

Microsoft researchers have uncovered a North Korean cyber group, dubbed Moonstone Sleet, engaging in espionage and financial cyberattacks across various sectors including aerospace, education, and software. Initially mirroring another DPRK threat group, Diamond Sleet, in terms of malware and tactics, Moonstone Sleet has since evolved its own distinct methods and infrastructure. Unlike other North Korean groups that either focus on espionage or financial theft, Moonstone Sleet engages in both, employing a diverse range of tactics from fake job offers and custom ransomware to fully functional fake video games to target victims.
Adam Gavish, co-founder and CEO of DoControl, highlighted Moonstone Sleet’s alarming capability to blend traditional cybercrime tactics with nation-state actor methodologies, complicating defense efforts. The group notably exploits trusted platforms such as LinkedIn and Telegram, alongside developer freelancing websites, to lure victims with the guise of legitimate company engagements. From January to April, Moonstone Sleet masqueraded as “StarGlow Ventures,” targeting thousands of entities within the software and education sectors with phishing emails. Another deceit involved a fake company, C.C. Waterfall, promoting a community-driven, play-to-earn tank combat game named DeTankWar, which serves as a vehicle to download malicious payloads.
Moonstone Sleet’s strategies also extend to attempts at securing remote tech employment within real companies, spreading malicious npm packages, and deploying its own ransomware, FakePenny. In facing such multifaceted threats, experts like Gavish and Microsoft advocate for a multi-layered security posture encompassing endpoint protection, network monitoring, and threat hunting to effectively counteract and respond to these activities, underscoring the necessity for a dynamic, holistic approach to cybersecurity.