Microsoft identifies Moonstone Sleet, formerly Storm-1789, as a distinct North Korean state-aligned actor pursuing financial and espionage objectives. The actor shifted from Diamond Sleet overlaps to its own infrastructure and uses fake companies, job or developer outreach, trojanized PuTTY and npm projects, IT-worker activity, a malicious tank game called DeTankWar/DeFiTankWar, and custom ransomware. The PuTTY chain decrypts staged payloads through SplitLoader, while the npm and game campaigns deliver additional malware or support contact with targets through sites such as detankwar[.]com and defitankzone[.]com. Microsoft says the activity shows a well-resourced DPRK actor combining familiar North Korean tradecraft with bespoke infrastructure and multiple overlapping campaigns.