In April 2024, Microsoft observed Moonstone Sleet deploying FakePenny, a custom ransomware loader and encryptor, against a company the actor had previously compromised in February. Microsoft assessed the deployment as financially motivated and significant because it was the first observed ransomware use by Moonstone Sleet, a distinct North Korean state-aligned actor that also uses fake companies, job or developer outreach, trojanized PuTTY and npm projects, IT-worker activity, and malicious game-themed lures.