Press ESC to close

Dark Web Profile: Moonstone Sleet

CategoryDetails
Threat ActorsMoonstone Sleet (aka Storm-1789), a North Korean state-sponsored APT group.
Campaign OverviewActive since early 2024, blends espionage and financial motives. Targets technology companies, financial institutions, cryptocurrency platforms, and software supply chains globally.
Target RegionsGlobal, with a focus on IT, defense sectors, and financial ecosystems.
MethodologySophisticated spear-phishing (fake job offers, collaboration requests), trojanized software (e.g., PuTTY), malicious npm packages, ransomware, and social engineering.
Product TargetedPuTTY (trojanized versions), open-source npm packages, gaming software (e.g., DeTankWar).
Malware ReferenceFakePenny ransomware, trojanized PuTTY, SplitLoader, malicious npm packages (e.g., “harthat-hash”).
Tools UsedCobalt Strike, custom malware, modified legitimate tools (e.g., rundll32.exe).
Vulnerabilities ExploitedOpen-source supply chain vulnerabilities (npm ecosystem), credential dumping via LSASS.
TTPsInitial access via phishing and social engineering, persistence through registry changes, lateral movement exploiting remote services, data exfiltration, ransomware as a smokescreen for espionage.
AttributionLinked to North Korea’s state cyber apparatus; overlaps with Diamond Sleet but distinct infrastructure.
RecommendationsEmploy email/web filtering, EDR solutions, MFA, network segmentation, threat intelligence monitoring, phishing domain takedowns, and robust incident response plans.
SourceSOCRadar

Read full article:https://socradar.io/dark-web-profile-moonstone-sleet/

Disclaimer: The above summary has been generated by an AI language model

Leave a Reply

Your email address will not be published. Required fields are marked *