Moonstone Sleet

2024-08-26 MITRE

https://attack.mitre.org/groups/G1036/

Thumbnail for Moonstone Sleet

MITRE identifies Moonstone Sleet as a North Korean-linked threat actor conducting both financially motivated operations and espionage, with earlier overlap with Lazarus Group before its tradecraft diverged in 2023. The group uses fake companies, personas, email accounts, and social media accounts to interact with victims, gather organizational and email information, and support phishing activity. Its delivery methods include spearphishing attachments, spearphishing via services, tracking links, malicious npm packages, trojanized software such as PuTTY, and a malware delivery mechanism masquerading as a functioning game. Documented tooling and behaviors include YouieLoader and SplitLoader service creation, browser and system discovery, encrypted or embedded payload staging, credential retrieval from LSASS, registry run keys, scheduled tasks, and final payload downloads from adversary-controlled infrastructure. The ATT&CK mapping matters because it distinguishes Moonstone Sleet’s post-2023 techniques from broader Lazarus-linked activity while preserving the DPRK attribution context.

Related Actors

Related Reports

2024-07-19 • 47% Match
#Trend #Andariel #Kimsuky #MoonstoneSleet #Lazarus #T1082 #T1059.003 #T1090 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1555 #T1560 #T1071.001 #T1046 #T1112 #T1115 #T1083 #T1497 #T1056.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1071 #T1124 #T1222 #T1552 #T1057 #T1583.003 #T1518.001 #T1547.001 #T1053.005 #T1539 #T1608.005 #T1583.001 #T1059.001 #T1053 #T1552.001 #T1566 #T1059 #T1003 #T1497.001 #T1102.001 #T1574.002 #T1562.001 #T1490 #T1486 #T1129 #T1133 #T1571 #T1548 #T1190 #T1203 #T1564.001 #T1087 #T1562.004 #T1218.011 #T1070.006 #T1547 #T1068 #T1614 #T1573 #T1095 #T1562 #T1070 #T1047 #T1056 #T1176 #T1010 #T1033 #T1569.002 #T1543.003 #T1485 #T1012 #T1202 #T1087.002 #T1021.004 #T1222.001 #T1518 #T1564.003 #T1505.003 #T1069.002 #T1564 #T1595.002 #T1027.005 #T1070.001 #T1056.004 #T1584
Shares tags: MoonstoneSleet, T1082, T1140
2019-08-26 • 38% Match
#Kimsuky #G0094 #T1082 #T1140 #T1005 #T1041 #T1555 #T1560 #T1112 #T1083 #T1036 #T1027 #T1567 #T1071 #T1204 #T1552 #T1057 #T1053 #T1566 #T1102 #T1059 #T1003 #T1105 #T1219 #T1055 #T1543 #T1078 #T1133 #T1218 #T1190 #T1588 #T1114 #T1098 #T1593 #T1589 #T1016 #T1587 #T1111 #T1591 #T1585 #T1598 #T1583 #T1594 #T1557 #T1547 #T1562 #T1608 #T1546 #T1070 #T1074 #T1056 #T1586 #T1176 #T1553 #T1012 #T1534 #T1007 #T1518 #T1021 #T1040 #T1564 #T1584 #T1136 #T1505 #T1550
Shares tags: T1082, T1140, T1027 • Same author: MITRE
2017-05-31 • 37% Match
#G0032 #T1082 #T1090 #T1140 #T1005 #T1041 #T1560 #T1046 #T1083 #T1497 #T1036 #T1027 #T1567 #T1071 #T1124 #T1204 #T1057 #T1053 #T1566 #T1102 #T1059 #T1001 #T1105 #T1055 #T1620 #T1543 #T1489 #T1078 #T1008 #T1571 #T1218 #T1220 #T1588 #T1203 #T1189 #T1049 #T1574 #T1098 #T1087 #T1593 #T1589 #T1016 #T1587 #T1591 #T1585 #T1583 #T1557 #T1547 #T1614 #T1106 #T1573 #T1048 #T1562 #T1608 #T1070 #T1047 #T1074 #T1134 #T1056 #T1529 #T1010 #T1553 #T1033 #T1485 #T1012 #T1110 #T1534 #T1104 #T1202 #T1221 #T1132 #T1021 #T1561 #T1564 #T1584 #T0865 #T1542 #T1491
Shares tags: T1082, T1140, T1027 • Same author: MITRE
« Back