ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > Moonstone Sleet

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Moonstone Sleet

NamesMoonstone Sleet (Microsoft)
Storm-1789 (Microsoft)
Stressed Pungsan (Datadog Security Research)
CountryNorth Korea North Korea
MotivationInformation theft and espionage, Financial gain
First seen2023
Description(Microsoft) Moonstone Sleet is a threat actor behind a cluster of malicious activity that Microsoft assesses is North Korean state-aligned and uses both a combination of many tried-and-true techniques used by other North Korean threat actors and unique attack methodologies. When Microsoft first detected Moonstone Sleet activity, the actor demonstrated strong overlaps with Diamond Sleet (Lazarus Group, Hidden Cobra, Labyrinth Chollima), extensively reusing code from known Diamond Sleet malware like Comebacker and using well-established Diamond Sleet techniques to gain access to organizations, such as using social media to deliver trojanized software. However, Moonstone Sleet quickly shifted to its own bespoke infrastructure and attacks. Subsequently, Microsoft has observed Moonstone Sleet and Diamond Sleet conducting concurrent operations, with Diamond Sleet still utilizing much of its known, established tradecraft.

Moonstone Sleet has an expansive set of operations supporting its financial and cyberespionage objectives. These range from deploying custom ransomware to creating a malicious game, setting up fake companies, and using IT workers.
Observed
Tools used
Operations performedJul 2024Stressed Pungsan: DPRK-aligned threat actor leverages npm for initial access
<https://securitylabs.datadoghq.com/articles/stressed-pungsan-dprk-aligned-threat-actor-leverages-npm-for-initial-access/>
Aug 2024North Korea Still Attacking Developers via npm
<https://blog.phylum.io/north-korea-still-attacking-developers-via-npm/>
Information<https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/>
<https://checkmarx.com/blog/a-new-north-korean-group-emerges-disrupting-the-open-source-ecosystem/>

Last change to this card: 23 October 2024

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]