# Qilin Ransomware - A Ransomware Linked to the APT Group Moonstone Sleet

Microsoft has observed a North Korea-linked APT group, known as Moonstone Sleet, deploying Qilin ransomware in attacks since February 2025. This group often uses a double extortion method, stealing and encrypting victim data, then threatening to disclose the data if the ransom is not paid.

# **What is Qilin Ransomware?**

Qilin, also known as Agenda, is a type of ransomware-as-a-service (RaaS). It is rented or sold to attackers as a service to infiltrate, encrypt data of organizations, and demand ransom. The group has been active since 2022 and has carried out numerous attacks on large organizations worldwide.

Since its launch in October 2022, Qilin has been used to attack various victims such as news agencies, automotive component manufacturers, and even court services in Australia. Most notably, it attacked Synnovis, a healthcare service provider for the UK government.

In May 2024, Microsoft discovered that the group "Moonstone Sleet" (formerly known as Storm-1789) was using Qilin ransomware in their attack campaigns. The group's objectives are financial gain as well as cyber espionage. They spread malware through malicious software, games, and use fake companies like StarGlow Ventures and C.C. Waterfall to deceive victims on LinkedIn, freelance job sites, Telegram, and email.

# **Infection Method**

![](https://i0.wp.com/securityaffairs.com/wp-content/uploads/2025/03/image-17.png?ssl=1 align="left")

*Figure 1. Attack Process of Moonstone Sleet Campaign*

Based on the attack diagram in the image, **Moonstone Sleet** uses a multi-stage attack process to spread malware, infiltrate target systems, and execute code from the command and control server (C2).

### **1\. Initial Stage - Victim Approach**

* Attackers use messaging apps and freelancer websites to approach victims.
    
* Their goal is to trick victims into downloading a ZIP file containing a trojanized PuTTY software along with a text file (**url.txt**).
    

### **2\. Infiltration Stage - Initial Malware Execution**

* When victims enter the IP address and password from **url.txt** into PuTTY, the trojanized **putty.exe** file executes.
    
* **Trojanized PuTTY** decrypts, decompresses, and executes the **SplitLoader installer** payload, starting the next stage of the attack.
    

### **3\. Deployment Stage - Backdoor Installation**

* **SplitLoader installer/dropper** decrypts and decompresses the next payload (**SplitLoader DLL**).
    
* Simultaneously, the installer drops **two malicious files** onto the drive for subsequent steps.
    
* **SplitLoader is executed** through a **scheduled task** or **registry run key**, ensuring the malware's presence on the system.
    

### **4\. Additional Malware Loading Stage**

* **SplitLoader** decrypts, decompresses, and combines the two files dropped onto the drive in the previous stage to create an executable **PE file**.
    
* This stage allows attackers to deploy more potent malware into the target system.
    

### **5\. C2 Connection Stage - System Control**

* **Trojan loader** will download, decompress, and execute the PE file from the command and control server (**C2 infrastructure**).
    
* After execution, attackers can fully control the target system, deploying additional malware such as ransomware or espionage tools.
    

# **IOCs Related to** Qilin Ransomware

## FIle hash

| 73b1fffd35d3a72775e0ac4c836e70efefa0930551a2f813843bdfb32df4579a | SHA256 |
| --- | --- |
| afe7b70b5d92a38fb222ec93c51b907b823a64daf56ef106523bc7acc1442e38 | SHA256 |
| dd50d1f39c851a3c1fce8abdf4ed84d7dca2b7bc19c1bc3c483c7fc3b8e9ab79 | SHA256 |
| e4cbee73bb41a3c7efc9b86a58495c5703f08d4b36df849c5bebc046d4681b70 | SHA256 |

# **Recommendations**

**FPT Threat Intelligence** recommends organizations and individuals take several measures to prevent this attack campaign:

* **Secure Data Backup**: Ensure offline backups are available to recover data in case of encryption.
    
* **System Updates**: Always update the latest security patches to protect systems from exploitable vulnerabilities.
    
* **Access Management**: Limit user access rights, apply network segmentation to prevent lateral movement by attackers.
    
* **Account Security**: Use strong, unique passwords and enable multi-factor authentication (MFA) to protect login information.
    
* **Data Encryption**: Implement encryption for sensitive data to protect against theft or leakage.
    
* **Attack Surface Reduction**: Disable unnecessary functions to reduce the risk of exploitation.
    
* **Security Awareness Training**: Educate employees about security risks and attack methods commonly used by cybercriminals.
    

# **References**

* [**North Korea-linked APT Moonstone used Qilin ransomware in limited attacks**](https://securityaffairs.com/175178/apt/north-korea-linked-apt-moonstone-used-qilin-ransomware.html)
    
* [**Qilin Ransomware: What You Need To Know**](https://www.tripwire.com/state-of-security/qilin-ransomware-what-you-need-know)
