Cybersecurity researchers have identified a sophisticated ransomware campaign attributed to a North Korean threat actor dubbed “Moonstone Sleet.”
The group has deployed an advanced custom ransomware strain targeting financial institutions and cryptocurrency exchanges across Southeast Asia and Europe, demonstrating evolving technical capabilities and evasion techniques not previously observed in North Korean cyber operations.
Moonstone Sleet, believed to operate under the umbrella of North Korea’s Reconnaissance General Bureau, has developed a multi-stage infection chain that begins with targeted spear-phishing emails containing seemingly benign PDF attachments.
These documents exploit a previously unknown vulnerability in popular PDF readers to execute a fileless loader that establishes persistence through Windows Registry modifications.
The attack chain cleverly circumvents traditional detection methods by employing living-off-the-land techniques and encrypted communication channels to retrieve the final ransomware payload.
The campaign was first detected in late February 2025 when a financial institution in Singapore reported anomalous network traffic patterns and encrypted systems.
Subsequent investigation revealed that similar attacks had compromised at least seven other organizations across Thailand, Vietnam, Germany, and the United Kingdom, with total ransom demands exceeding $17 million in cryptocurrency.
Unlike previous North Korean ransomware operations, Moonstone Sleet demonstrates a sophisticated understanding of enterprise security architectures and implements countermeasures specifically designed to bypass modern endpoint protection platforms.
Microsoft Researchers note that Moonstone Sleet has invested significant resources in developing custom obfuscation techniques to hide their code.
Attack Chain
The ransomware employs a unique two-stage encryption process that makes recovery particularly challenging for victims.
Analysis of the malware revealed an unusual implementation of ChaCha20 encryption combined with custom key exchange protocols that leverage compromised domain controllers for key distribution.
.webp)
Forensic analysis of the malware’s command module revealed the following code fragment that highlights the sophisticated approach to privilege escalation:
def escalate_privileges():
# Check if process is running with administrative privileges
if ctypes.windll.shell32.IsUserAnAdmin() == 0:
# Attempt UAC bypass using CMSTPLUA COM interface
CLSID_CMSTPLUA = '{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
IID_IElevatedFactoryServer="{30adc50c-5cbc-46ce-9a0e-d4585e5c5164}"
try:
elevation_service = comtypes.CoCreateInstance(
comtypes.GUID(CLSID_CMSTPLUA),
interface=comtypes.GUID(IID_IElevatedFactoryServer),
clsctx=comtypes.CLSCTX_LOCAL_SERVER
)
# Execute payload with elevated privileges
elevated_moniker = elevation_service.ServerCreateElevatedObject(
comtypes.GUID(CLSID_ScriptletFactory)
)
elevated_moniker.ExecuteCommand(get_stage2_payload())
return True
except:
# Fall back to alternative methods
return attempt_alternate_escalation()
return True.webp)
The ransomware communicates with command and control servers through a custom protocol that mimics legitimate HTTPS traffic, but embeds commands within seemingly normal web requests.
Network defenders have identified several command and control servers hosted on compromised infrastructure across Eastern Europe and Southeast Asia, with traffic routed through multiple proxies to obscure the attackers’ true location.
The infrastructure demonstrates sophisticated operational security measures including rapid server rotation and geofenced access controls that trigger self-destruction if accessed from unauthorized IP ranges.
Attribution to North Korea stems from code similarities with previously documented DPRK operations, shared command infrastructure with known North Korean campaigns, and targeting patterns consistent with Pyongyang’s financial motivations.
Additionally, the ransomware contains timing checks that prevent execution during working hours in the UTC+9 time zone, a common trait in North Korean malware.
Organizations are advised to implement robust email filtering, maintain regular offline backups, deploy application control solutions, and monitor for indicators of compromise which security vendors have begun distributing through standard threat intelligence channels.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
