""This operation combined the capabilities of a major Ransomware-as-a-Service (RaaS) group, Qilin, with potential involvement from North Korean state-affiliated actors (Moonstone Sleet), leveraging Managed Service Provider (MSP) compromise as the initial access vector," Bitdefender said in a report shared with The Hacker News. Qilin has emerged as one of the most active ransomware operations this year, with the RaaS crew exhibiting "explosive growth" in the month of October 2025 by claiming over 180 victims."
"While Qilin's origins are likely Russian, the group describes itself as "political activists" and "patriots of the country." It follows a traditional affiliate model, which involves recruiting a diverse group of hackers to carry out the attacks in return for taking a small share of up to 20% of the illicit payments. One particular affiliate of note is a North Korean threat actor tracked as Moonstone Sleet, which, according to Microsoft, has deployed a custom ransomware variant called FakePenny in an attack targeting an unnamed defense technology company in April 2024."
South Korea's financial sector experienced a supply-chain intrusion that resulted in Qilin ransomware deployment following compromise of a Managed Service Provider. Bitdefender attributed the operation to Qilin's RaaS affiliates with potential involvement from North Korean-aligned Moonstone Sleet. Qilin claimed explosive growth in October 2025 with over 180 victims and accounted for 29% of ransomware attacks in one dataset. A September 2025 spike produced 25 South Korean victims, 24 in finance, under the label "Korean Leaks." Qilin uses an affiliate model where affiliates remit up to 20% of illicit payments; Microsoft previously tied Moonstone Sleet to a FakePenny deployment.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]