Qilin Ransomware - A Ransomware Linked to the APT Group Moonstone Sleet
Just a SOC Analyst ^^
Microsoft has observed a North Korea-linked APT group, known as Moonstone Sleet, deploying Qilin ransomware in attacks since February 2025. This group often uses a double extortion method, stealing and encrypting victim data, then threatening to disclose the data if the ransom is not paid.
What is Qilin Ransomware?
Qilin, also known as Agenda, is a type of ransomware-as-a-service (RaaS). It is rented or sold to attackers as a service to infiltrate, encrypt data of organizations, and demand ransom. The group has been active since 2022 and has carried out numerous attacks on large organizations worldwide.
Since its launch in October 2022, Qilin has been used to attack various victims such as news agencies, automotive component manufacturers, and even court services in Australia. Most notably, it attacked Synnovis, a healthcare service provider for the UK government.
In May 2024, Microsoft discovered that the group "Moonstone Sleet" (formerly known as Storm-1789) was using Qilin ransomware in their attack campaigns. The group's objectives are financial gain as well as cyber espionage. They spread malware through malicious software, games, and use fake companies like StarGlow Ventures and C.C. Waterfall to deceive victims on LinkedIn, freelance job sites, Telegram, and email.
Infection Method
Figure 1. Attack Process of Moonstone Sleet Campaign
Based on the attack diagram in the image, Moonstone Sleet uses a multi-stage attack process to spread malware, infiltrate target systems, and execute code from the command and control server (C2).
1. Initial Stage - Victim Approach
Attackers use messaging apps and freelancer websites to approach victims.
Their goal is to trick victims into downloading a ZIP file containing a trojanized PuTTY software along with a text file (url.txt).
2. Infiltration Stage - Initial Malware Execution
When victims enter the IP address and password from url.txt into PuTTY, the trojanized putty.exe file executes.
Trojanized PuTTY decrypts, decompresses, and executes the SplitLoader installer payload, starting the next stage of the attack.
3. Deployment Stage - Backdoor Installation
SplitLoader installer/dropper decrypts and decompresses the next payload (SplitLoader DLL).
Simultaneously, the installer drops two malicious files onto the drive for subsequent steps.
SplitLoader is executed through a scheduled task or registry run key, ensuring the malware's presence on the system.
4. Additional Malware Loading Stage
SplitLoader decrypts, decompresses, and combines the two files dropped onto the drive in the previous stage to create an executable PE file.
This stage allows attackers to deploy more potent malware into the target system.
5. C2 Connection Stage - System Control
Trojan loader will download, decompress, and execute the PE file from the command and control server (C2 infrastructure).
After execution, attackers can fully control the target system, deploying additional malware such as ransomware or espionage tools.
IOCs Related to Qilin Ransomware
FIle hash
| 73b1fffd35d3a72775e0ac4c836e70efefa0930551a2f813843bdfb32df4579a | SHA256 |
| afe7b70b5d92a38fb222ec93c51b907b823a64daf56ef106523bc7acc1442e38 | SHA256 |
| dd50d1f39c851a3c1fce8abdf4ed84d7dca2b7bc19c1bc3c483c7fc3b8e9ab79 | SHA256 |
| e4cbee73bb41a3c7efc9b86a58495c5703f08d4b36df849c5bebc046d4681b70 | SHA256 |
Recommendations
FPT Threat Intelligence recommends organizations and individuals take several measures to prevent this attack campaign:
Secure Data Backup: Ensure offline backups are available to recover data in case of encryption.
System Updates: Always update the latest security patches to protect systems from exploitable vulnerabilities.
Access Management: Limit user access rights, apply network segmentation to prevent lateral movement by attackers.
Account Security: Use strong, unique passwords and enable multi-factor authentication (MFA) to protect login information.
Data Encryption: Implement encryption for sensitive data to protect against theft or leakage.
Attack Surface Reduction: Disable unnecessary functions to reduce the risk of exploitation.
Security Awareness Training: Educate employees about security risks and attack methods commonly used by cybercriminals.
