Skip to content

Hide Navigation Hide TOC

Moonstone Sleet - G1036 (e6db1e55-b199-4b6b-8633-989345ee45e0)

Moonstone Sleet is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. The group previously overlapped significantly with another North Korean-linked entity, Lazarus Group, but has differentiated its tradecraft since 2023. Moonstone Sleet is notable for creating fake companies and personas to interact with victim entities, as well as developing unique malware such as a variant delivered via a fully functioning game.(Citation: Microsoft Moonstone Sleet 2024)

Cluster A Galaxy A Cluster B Galaxy B Level
Moonstone Sleet - G1036 (e6db1e55-b199-4b6b-8633-989345ee45e0) Intrusion Set System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 1
Moonstone Sleet - G1036 (e6db1e55-b199-4b6b-8633-989345ee45e0) Intrusion Set System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 1
Gather Victim Org Information - T1591 (937e4772-8441-4e4a-8bf0-8d447d667e23) Attack Pattern Moonstone Sleet - G1036 (e6db1e55-b199-4b6b-8633-989345ee45e0) Intrusion Set 1
Moonstone Sleet - G1036 (e6db1e55-b199-4b6b-8633-989345ee45e0) Intrusion Set Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 1
Moonstone Sleet - G1036 (e6db1e55-b199-4b6b-8633-989345ee45e0) Intrusion Set Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern 1
Moonstone Sleet - G1036 (e6db1e55-b199-4b6b-8633-989345ee45e0) Intrusion Set Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf) Attack Pattern 1
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern Moonstone Sleet - G1036 (e6db1e55-b199-4b6b-8633-989345ee45e0) Intrusion Set 1
Moonstone Sleet - G1036 (e6db1e55-b199-4b6b-8633-989345ee45e0) Intrusion Set Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern 1
Moonstone Sleet - G1036 (e6db1e55-b199-4b6b-8633-989345ee45e0) Intrusion Set Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 1
Moonstone Sleet - G1036 (e6db1e55-b199-4b6b-8633-989345ee45e0) Intrusion Set Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0) Attack Pattern 1
Moonstone Sleet - G1036 (e6db1e55-b199-4b6b-8633-989345ee45e0) Intrusion Set LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 1
Moonstone Sleet - G1036 (e6db1e55-b199-4b6b-8633-989345ee45e0) Intrusion Set Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795) Attack Pattern 1
Moonstone Sleet - G1036 (e6db1e55-b199-4b6b-8633-989345ee45e0) Intrusion Set Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) Attack Pattern 1
Moonstone Sleet - G1036 (e6db1e55-b199-4b6b-8633-989345ee45e0) Intrusion Set Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 1
Moonstone Sleet - G1036 (e6db1e55-b199-4b6b-8633-989345ee45e0) Intrusion Set Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern 1
Moonstone Sleet - G1036 (e6db1e55-b199-4b6b-8633-989345ee45e0) Intrusion Set Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317) Attack Pattern 1
Moonstone Sleet - G1036 (e6db1e55-b199-4b6b-8633-989345ee45e0) Intrusion Set Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a) Attack Pattern 1
Moonstone Sleet - G1036 (e6db1e55-b199-4b6b-8633-989345ee45e0) Intrusion Set Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 1
Moonstone Sleet - G1036 (e6db1e55-b199-4b6b-8633-989345ee45e0) Intrusion Set Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Moonstone Sleet - G1036 (e6db1e55-b199-4b6b-8633-989345ee45e0) Intrusion Set Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 1
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern Moonstone Sleet - G1036 (e6db1e55-b199-4b6b-8633-989345ee45e0) Intrusion Set 1
Moonstone Sleet - G1036 (e6db1e55-b199-4b6b-8633-989345ee45e0) Intrusion Set Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262) Attack Pattern 1
Moonstone Sleet - G1036 (e6db1e55-b199-4b6b-8633-989345ee45e0) Intrusion Set Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 1
Moonstone Sleet - G1036 (e6db1e55-b199-4b6b-8633-989345ee45e0) Intrusion Set System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 1
Moonstone Sleet - G1036 (e6db1e55-b199-4b6b-8633-989345ee45e0) Intrusion Set Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e) Attack Pattern 1
Moonstone Sleet - G1036 (e6db1e55-b199-4b6b-8633-989345ee45e0) Intrusion Set Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7) Attack Pattern 1
Moonstone Sleet - G1036 (e6db1e55-b199-4b6b-8633-989345ee45e0) Intrusion Set Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928) Attack Pattern 1
Moonstone Sleet - G1036 (e6db1e55-b199-4b6b-8633-989345ee45e0) Intrusion Set Compromise Software Supply Chain - T1195.002 (bd369cd9-abb8-41ce-b5bb-fff23ee86c00) Attack Pattern 1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Moonstone Sleet - G1036 (e6db1e55-b199-4b6b-8633-989345ee45e0) Intrusion Set 1
Moonstone Sleet - G1036 (e6db1e55-b199-4b6b-8633-989345ee45e0) Intrusion Set Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 1
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 2
Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf) Attack Pattern Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2
Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795) Attack Pattern Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) Attack Pattern 2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8) Attack Pattern Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 2
Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262) Attack Pattern Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4) Attack Pattern 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Stage Capabilities - T1608 (84771bc3-f6a0-403e-b144-01af70e5fda0) Attack Pattern Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e) Attack Pattern 2
Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8) Attack Pattern Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928) Attack Pattern 2
Supply Chain Compromise - T1195 (3f18edba-28f4-4bb9-82c3-8aa60dcac5f7) Attack Pattern Compromise Software Supply Chain - T1195.002 (bd369cd9-abb8-41ce-b5bb-fff23ee86c00) Attack Pattern 2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2