Microsoft has identified a new North Korean threat actor named Moonstone Sleet [2] [3] [4], previously known as Storm-1789 [2] [3] [4] [5] [7], that is linked to cyberespionage and ransomware attacks in support of the North Korean regime [4].


This well-resourced group has been active since at least early August 2023 and has targeted sectors such as software, information technology [5], education [1] [2] [5] [7], and defense industrial base using a combination of traditional techniques and innovative attack methods [5]. Moonstone Sleet shares tactics [1] [2] [4] [5] [6] [7], techniques [1] [2] [4] [5], and procedures with other North Korean threat actors [2] [4] [6], particularly Diamond Sleet [4] [6], initially reusing code and techniques from Diamond Sleet malware like Comebacker [4]. However, Moonstone Sleet has since developed its own infrastructure and methods for carrying out attacks [4]. The group has created fake companies [5], distributed trojanized software [5], and developed malicious games to ensnare victims for financial gain and cyber espionage [5]. Additionally, Moonstone Sleet has deployed custom ransomware named FakePenny [5], demanding a ransom of $6.6 million in Bitcoin from a previously compromised company [5]. Organizations are urged to exercise heightened vigilance against social engineering attacks and implement robust cybersecurity measures to defend against this evolving threat posed by North Korean cyber actors. Moonstone Sleet has been observed sending emails containing a link to the DeTankWar game [6], potentially as a means of revenue generation or gaining access to organizations [6]. Microsoft has provided recommendations and tools for organizations to defend against or detect Moonstone Sleet attacks [6].


Organizations must be vigilant against the threat posed by Moonstone Sleet and other North Korean cyber actors. Implementing robust cybersecurity measures and staying informed about the latest tactics and techniques used by these threat actors is crucial to defending against cyber attacks. It is essential for organizations to take proactive steps to protect their systems and data from potential breaches and financial losses.