| Category | Details |
|---|---|
| Threat Actors | Moonstone Sleet (aka Storm-1789), a North Korean state-sponsored APT group. |
| Campaign Overview | Active since early 2024, blends espionage and financial motives. Targets technology companies, financial institutions, cryptocurrency platforms, and software supply chains globally. |
| Target Regions | Global, with a focus on IT, defense sectors, and financial ecosystems. |
| Methodology | Sophisticated spear-phishing (fake job offers, collaboration requests), trojanized software (e.g., PuTTY), malicious npm packages, ransomware, and social engineering. |
| Product Targeted | PuTTY (trojanized versions), open-source npm packages, gaming software (e.g., DeTankWar). |
| Malware Reference | FakePenny ransomware, trojanized PuTTY, SplitLoader, malicious npm packages (e.g., “harthat-hash”). |
| Tools Used | Cobalt Strike, custom malware, modified legitimate tools (e.g., rundll32.exe). |
| Vulnerabilities Exploited | Open-source supply chain vulnerabilities (npm ecosystem), credential dumping via LSASS. |
| TTPs | Initial access via phishing and social engineering, persistence through registry changes, lateral movement exploiting remote services, data exfiltration, ransomware as a smokescreen for espionage. |
| Attribution | Linked to North Korea’s state cyber apparatus; overlaps with Diamond Sleet but distinct infrastructure. |
| Recommendations | Employ email/web filtering, EDR solutions, MFA, network segmentation, threat intelligence monitoring, phishing domain takedowns, and robust incident response plans. |
| Source | SOCRadar |
Read full article:https://socradar.io/dark-web-profile-moonstone-sleet/
Disclaimer: The above summary has been generated by an AI language model
Leave a Reply