>samit_hota
Back to adversary profiles
G1036HighActive

Moonstone Sleet (G1036) Threat Actor Profile

Samit Hota·
Suspected Origin
North Korea
Motivation
Espionage, Financial Gain
Aliases
Storm-1789
Target Sectors
Software & Information Technology, Education, Defense Industrial Base, Financial Institutions, Cryptocurrency Platforms, Aerospace, Drone Technology, Aircraft Parts Manufacturing
Associated Malware
FakePenny, DeTankWar (game malware), SplitLoader, YouieLoad, Comebacker, Qilin Ransomware
#threat-actor#g1036

Overview

Moonstone Sleet, also tracked by Microsoft as Storm-1789 and by Datadog Security Research as Stressed Pungsan, is a highly adaptive and well-resourced North Korean state-aligned threat actor (G1036) that has been actively conducting both financially motivated attacks and cyber espionage operations since at least 2023. While the group initially displayed significant overlap with other North Korean entities, particularly Diamond Sleet (also known as Zinc and a sub-group of the Lazarus Group), Moonstone Sleet has increasingly differentiated its tradecraft and infrastructure since 2023, establishing itself as a distinct and potent threat.

A key characteristic of Moonstone Sleet’s operations is its sophisticated use of social engineering, including the creation of elaborate fake companies and personas to engage with potential targets. This deceptive tactic is employed across various platforms like LinkedIn, Telegram, developer freelancing sites, and email, enabling them to deliver trojanized software, malicious npm packages, and even fully functional but compromised games. Their objectives span from intellectual property theft and intelligence gathering to illicit revenue generation for the North Korean regime.

Tactics & Techniques

Moonstone Sleet’s operational methodology centers on highly targeted social engineering campaigns designed to establish initial access and subsequently escalate privileges and exfiltrate data. They frequently impersonate legitimate software development and IT service providers, using fake company names such as “StarGlow Ventures” and “C.C. Waterfall,” complete with custom domains, fake employee profiles, and social media presence.

Their initial access vectors often involve luring victims into downloading and executing malicious files disguised as legitimate software or project components. This includes:

  • Trojanized Software: Distributing modified versions of legitimate tools like PuTTY via messaging platforms and freelancing sites. These trojanized versions decrypt and execute embedded payloads upon user interaction.
  • Malicious npm Packages: Targeting software developers by offering “technical skills assessments” or project collaborations that, when loaded, invoke malicious npm packages to drop further payloads.
  • Malicious Games: Developing and distributing fully functional, yet malicious, games such as “DeTankWar” (also known as DeFiTankWar, DeTankZone, or TankWarsZone). These games require player registration and are used as a sophisticated malware delivery mechanism.

Once initial access is gained, Moonstone Sleet employs a multi-stage payload delivery process. They use various loaders like SplitLoader and YouieLoad to decrypt, decompress, and execute subsequent payloads. Post-compromise activities include network and user discovery, credential theft (including from LSASS memory), and the collection of browser information. They also utilize registry run keys and scheduled tasks for persistence and execution. To evade detection, Moonstone Sleet employs multiple rounds of obfuscation and encoding for their payloads.

Notable Campaigns

Since its emergence, Moonstone Sleet has been linked to several distinct and sophisticated campaigns:

  • StarGlow Ventures Campaign (January - April 2024): This campaign saw Moonstone Sleet impersonate a legitimate software development company, “StarGlow Ventures,” to target thousands of organizations in the education and software development sectors through email. The emails offered collaboration on projects related to web apps, mobile apps, blockchain, and AI, often including tracking pixels to monitor victim engagement.
  • DeTankWar Game Distribution (Since February 2024): Moonstone Sleet actively promoted its malicious tank game, “DeTankWar,” to targets via email and messaging platforms. They presented themselves as game developers seeking investment or developer support, sometimes masquerading as legitimate blockchain companies or using other fake entities like “C.C. Waterfall.” The game served as a trojanized delivery mechanism for malware.
  • Defense Industrial Base Compromises (December 2023 - May 2024): The group has targeted defense technology companies, including those involved in drone technology and aircraft parts manufacturing. In one instance, a defense technology company was initially compromised in December 2023 for credential and intellectual property theft, then subjected to a FakePenny ransomware attack in April 2024.
  • Qilin Ransomware Deployment (Since February 2025): Recent observations indicate that Moonstone Sleet has expanded its ransomware operations by deploying Qilin ransomware in a limited number of attacks. This marks a shift from their previous use of custom ransomware and suggests a potential collaboration with or utilization of Ransomware-as-a-Service (RaaS) offerings.

Associated Malware & Tools

Moonstone Sleet utilizes a combination of custom malware, trojanized legitimate software, and, more recently, RaaS offerings to achieve its objectives:

  • FakePenny: This is a custom ransomware variant first observed in April 2024. It includes both a loader and an encryptor, and in one notable incident, demanded a 100 Bitcoin ransom (approximately $6.6 million USD). The ransom note has been observed to closely resemble those used in NotPetya attacks.
  • DeTankWar: A malicious, fully functional tank game developed by Moonstone Sleet, used as a deceptive delivery mechanism for further malware.
  • SplitLoader: An installer/dropper malware that decrypts, decompresses, and writes subsequent stage payloads (DLL files) to disk, often establishing persistence via scheduled tasks or registry run keys.
  • YouieLoad: A malware loader capable of capturing system browser information, performing system user discovery, and loading next-stage payloads in memory, often creating malicious services.
  • Comebacker: Moonstone Sleet initially reused code from this known Diamond Sleet malware, particularly in early stages of their activity for establishing command-and-control (C2) communication.
  • Qilin Ransomware: Beginning in February 2025, Moonstone Sleet has been observed deploying this Ransomware-as-a-Service (RaaS) offering, indicating an expansion of their ransomware capabilities.
  • Trojanized PuTTY: Modified versions of the legitimate open-source terminal emulator used for initial access, embedding malicious payloads.
  • Malicious npm Packages: Custom-developed malicious packages uploaded to the npm registry, designed to execute payloads upon installation and gather information from targeted development environments.
  • Cobalt Strike: This legitimate penetration testing tool is likely leveraged by Moonstone Sleet for command-and-control communication and maintaining persistence within compromised systems.

Current Status

Moonstone Sleet is an actively operating threat actor, continually evolving its tradecraft and expanding its attack portfolio. Microsoft Threat Intelligence has been tracking their activities, noting their continued use of sophisticated social engineering, custom malware development, and recent adoption of Qilin ransomware. The group’s ability to conduct concurrent operations across multiple campaigns, the robustness of their custom malware (like the malicious game), and their deployment of new ransomware variants underscore their significant resources and ongoing threat level. Organizations in the targeted sectors should remain vigilant and implement robust security measures to defend against Moonstone Sleet’s evolving tactics.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call