Microsoft has identified a new North Korean threat actor, Moonstone Sleet. Also known as Storm-1789, Moonstone Sleet has set up fake companies and job opportunities to engage with potential targets and has even created a fully functioning computer game designed to trap the unwary.
The potentially hostile nation-state of North Korea has long been suspected of resorting to cybercrime, targeting the West to fund its military build-up and commit ongoing cyber espionage against countries such as the US and the UK. But Moonstone Sleet is taking cyber-attacks on the West to new levels of sophistication, posing a threat to all organizations.
Microsoft says Moonstone Sleet “uses both a combination of many tried-and-true techniques used by other North Korean threat actors and unique attack methodologies to target companies for its financial and cyberespionage objectives.”
Since February of this year, Microsoft has reported that Moonstone Sleet has been infecting devices using a malicious tank game called DeTankWar, which it developed. The weaponized game also goes under the names: DeFiTankWar, DeTankZone and TankWarsZone. It is a downloadable game that requires player registration. Moonstone Sleet typically approaches its targets through messaging platforms or by email, presenting itself as a game developer seeking investment or developer support – either masquerading as a legitimate blockchain company or using fake companies.
According to Microsoft: “[Moonstone Sleet] loads malicious payloads in memory and creates malicious services that perform functions such as network and user discovery and browser data collection. For compromised devices of particular interest to the group, the threat actor launches hands-on-keyboard commands with further discovery and conducts credential theft.”
Moonstone Fleet has created fake IT companies
Since January 2024, Moonstone Sleet has also created several fake companies impersonating software development and IT services, typically involving blockchain and artificial intelligence (AI). It has used these companies to reach potential targets using fake websites and social media accounts.
One of Moonstone Sleet’s bogus companies, StarGlow Ventures, poses as a legitimate software development company, using a custom domain name, fake employee personas, and social media accounts. It recently launched an email campaign targeting thousands of education and software development organizations.
In addition to creating fake companies, Moonstone Sleet is also pursuing employment opportunities in software development positions at legitimate companies to generate additional revenue while simultaneously gaining embedded access to targeted organizations in the West.
“Moonstone Sleet’s primary goals appear to be espionage and revenue generation. Targeted sectors to date include both individuals and organizations in the software and information technology, education, and defense industrial base sectors,” reports Microsoft.
