Skip to content

G1036 Moonstone Sleet

Moonstone Sleet is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. The group previously overlapped significantly with another North Korean-linked entity, Lazarus Group, but has differentiated its tradecraft since 2023. Moonstone Sleet is notable for creating fake companies and personas to interact with victim entities, as well as developing unique malware such as a variant delivered via a fully functioning game.1

Item Value
ID G1036
Associated Names Storm-1789
Version 1.0
Created 26 August 2024
Last Modified 01 October 2024
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Storm-1789 1

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains Moonstone Sleet registered domains to develop effective personas for fake companies used in phishing activity.1
enterprise T1583.003 Virtual Private Server Moonstone Sleet registered virtual private servers to host payloads for download.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Moonstone Sleet used curl to connect to adversary-controlled infrastructure and retrieve additional payloads.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Moonstone Sleet used registry run keys for process execution during initial victim infection.1
enterprise T1217 Browser Information Discovery Moonstone Sleet deployed malware such as YouieLoader capable of capturing victim system browser information.1
enterprise T1486 Data Encrypted for Impact Moonstone Sleet has deployed ransomware in victim environments.1
enterprise T1140 Deobfuscate/Decode Files or Information Moonstone Sleet delivered payloads using multiple rounds of obfuscation and encoding to evade defenses and analysis.1
enterprise T1587 Develop Capabilities Moonstone Sleet developed malicious npm packages for delivery to or retrieval by victims.1
enterprise T1587.001 Malware Moonstone Sleet has developed custom malware, including a malware delivery mechanism masquerading as a legitimate game.1
enterprise T1585 Establish Accounts -
enterprise T1585.001 Social Media Accounts Moonstone Sleet has created social media accounts to interact with victims.1
enterprise T1585.002 Email Accounts Moonstone Sleet has created email accounts to interact with victims, including for phishing purposes.1
enterprise T1589 Gather Victim Identity Information -
enterprise T1589.002 Email Addresses Moonstone Sleet gathered victim email address information for follow-on phishing activity.1
enterprise T1591 Gather Victim Org Information Moonstone Sleet has gathered information on victim organizations through email and social media interaction.1
enterprise T1105 Ingress Tool Transfer Moonstone Sleet retrieved a final stage payload from command and control infrastructure during initial installation on victim systems.1
enterprise T1027 Obfuscated Files or Information Moonstone Sleet delivers encrypted payloads in pieces that are then combined together to form a new portable executable (PE) file during installation.1
enterprise T1027.009 Embedded Payloads Moonstone Sleet embedded payloads in trojanized software for follow-on execution.1
enterprise T1027.013 Encrypted/Encoded File Moonstone Sleet has used encrypted payloads within files for follow-on execution and defense evasion.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Moonstone Sleet retrieved credentials from LSASS memory.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Moonstone Sleet delivered various payloads to victims as spearphishing attachments.1
enterprise T1566.003 Spearphishing via Service Moonstone Sleet has used social media services to spear phish victims to deliver trojainized software.1
enterprise T1598 Phishing for Information Moonstone Sleet has interacted with victims to gather information via email.1
enterprise T1598.003 Spearphishing Link Moonstone Sleet used spearphishing messages containing items such as tracking pixels to determine if users interacted with malicious messages.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Moonstone Sleet used scheduled tasks for program execution during initial access to victim machines.1
enterprise T1608 Stage Capabilities -
enterprise T1608.001 Upload Malware Moonstone Sleet staged malicious capabilities online for follow-on download by victims or malware.1
enterprise T1195 Supply Chain Compromise -
enterprise T1195.002 Compromise Software Supply Chain Moonstone Sleet has distributed a trojanized version of PuTTY software for initial access to victims.1
enterprise T1082 System Information Discovery Moonstone Sleet has gathered information on victim systems.1
enterprise T1016 System Network Configuration Discovery Moonstone Sleet has gathered information on victim network configuration.1
enterprise T1033 System Owner/User Discovery Moonstone Sleet deployed various malware such as YouieLoader that can perform system user discovery actions.1
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Moonstone Sleet used intermediate loader malware such as YouieLoader and SplitLoader that create malicious services.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Moonstone Sleet relied on users interacting with malicious files, such as a trojanized PuTTY installer, for initial execution.1

Software

ID Name References Techniques
S1242 Qilin Moonstone Sleet has deployed Qilin ransomware.2 Bypass User Account Control:Abuse Elevation Control Mechanism Access Token Manipulation Local Account:Account Discovery Winlogon Helper DLL:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Data Encrypted for Impact Internal Defacement:Defacement Group Policy Modification:Domain or Tenant Policy Modification Mutual Exclusion:Execution Guardrails Execution Guardrails Exploit Public-Facing Application File and Directory Discovery File and Directory Permissions Modification Safe Mode Boot:Impair Defenses Disable or Modify Tools:Impair Defenses Clear Windows Event Logs:Indicator Removal File Deletion:Indicator Removal Inhibit System Recovery Local Storage Discovery Modify Registry Native API Network Share Discovery Encrypted/Encoded File:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Spearphishing Link:Phishing Spearphishing Attachment:Phishing Process Discovery Dynamic-link Library Injection:Process Injection Query Registry SMB/Windows Admin Shares:Remote Services Remote System Discovery Scheduled Task:Scheduled Task/Job Service Stop System Network Configuration Discovery System Service Discovery System Shutdown/Reboot Malicious Link:User Execution Malicious File:User Execution Virtual Machine Discovery

References

  1. Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024. 

  2. Microsoft Threat Intelligence (@MsftSecIntel). (2025, March 6). Microsoft Threat Intelligence on X. Retrieved September 26, 2025.