Category | Details |
---|---|
Threat Actors | Moonstone Sleet (aka Storm-1789), a North Korean state-sponsored APT group. |
Campaign Overview | Active since early 2024, blends espionage and financial motives. Targets technology companies, financial institutions, cryptocurrency platforms, and software supply chains globally. |
Target Regions | Global, with a focus on IT, defense sectors, and financial ecosystems. |
Methodology | Sophisticated spear-phishing (fake job offers, collaboration requests), trojanized software (e.g., PuTTY), malicious npm packages, ransomware, and social engineering. |
Product Targeted | PuTTY (trojanized versions), open-source npm packages, gaming software (e.g., DeTankWar). |
Malware Reference | FakePenny ransomware, trojanized PuTTY, SplitLoader, malicious npm packages (e.g., “harthat-hash”). |
Tools Used | Cobalt Strike, custom malware, modified legitimate tools (e.g., rundll32.exe). |
Vulnerabilities Exploited | Open-source supply chain vulnerabilities (npm ecosystem), credential dumping via LSASS. |
TTPs | Initial access via phishing and social engineering, persistence through registry changes, lateral movement exploiting remote services, data exfiltration, ransomware as a smokescreen for espionage. |
Attribution | Linked to North Korea’s state cyber apparatus; overlaps with Diamond Sleet but distinct infrastructure. |
Recommendations | Employ email/web filtering, EDR solutions, MFA, network segmentation, threat intelligence monitoring, phishing domain takedowns, and robust incident response plans. |
Source | SOCRadar |
Read full article:https://socradar.io/dark-web-profile-moonstone-sleet/
Disclaimer: The above summary has been generated by an AI language model
Leave a Reply