Bitdefender identifies a sudden ransomware spike in South Korea, where Qilin claimed 25 victims in one month and concentrated almost entirely on financial services, especially asset management firms. The Korean Leaks campaign involved 33 total victims, 28 publicly listed, with some documented cases confirming more than 1 million stolen files and 2 TB of data. The report frames Qilin as a Russian-speaking RaaS operation while noting that Moonstone Sleet, a North Korea-linked group, had reportedly joined as a Qilin affiliate in early 2025, making its role in the campaign plausible but not proven. Political messaging in leak-site posts, including one pre-campaign reference to information being prepared for Kim Jong-un, adds DPRK-relevant context to a financially disruptive extortion campaign against South Korea’s financial sector.