Sophisticated Ransomware Campaign Targets Financial Sectors
Cybersecurity researchers have uncovered a new and highly sophisticated ransomware campaign linked to a North Korean threat actor known as “Moonstone Sleet.” This group has been actively targeting financial institutions and cryptocurrency exchanges across Southeast Asia and Europe, deploying an advanced custom ransomware strain that exhibits innovative technical capabilities and evasion techniques previously unseen in similar cyber operations.
Operating under the umbrella of North Korea’s cyber warfare units, Moonstone Sleet employs a multi-stage infection strategy. The attack begins with targeted spear-phishing emails carrying seemingly harmless PDF attachments. These documents exploit an undisclosed vulnerability in widely used PDF readers, enabling a fileless loader to establish persistence by modifying the Windows Registry. By leveraging living-off-the-land techniques and encrypted communication channels, the attack chain effectively circumvents conventional cybersecurity detection methods, making it difficult for organizations to detect and mitigate threats before significant damage occurs.
Attack Methods and Global Impact
The ransomware campaign first surfaced in late February 2025 when a financial institution in Singapore reported unusual network traffic patterns and encrypted systems. Further investigation confirmed that similar attacks had compromised at least seven organizations in Thailand, Vietnam, Germany, and the United Kingdom. The total ransom demands from these incidents have exceeded $17 million in cryptocurrency, highlighting the severity of the campaign.
Unlike previous ransomware operations linked to North Korean cyber groups, Moonstone Sleet demonstrates an advanced understanding of enterprise security frameworks and employs countermeasures specifically designed to evade modern endpoint protection systems. Security researchers have noted the significant investment in developing custom obfuscation techniques to conceal the malware’s code and functionality, making detection and analysis more challenging.
One of the key features of this ransomware is its two-stage encryption process, which makes data recovery particularly difficult. Technical analysis has revealed an unusual combination of ChaCha20 encryption and custom key exchange protocols, leveraging compromised domain controllers to distribute decryption keys. Additionally, the malware communicates with command and control servers through a custom protocol designed to blend with legitimate HTTPS traffic, embedding commands within seemingly normal web requests to avoid detection.
Attribution and Security Recommendations
Forensic analysis has identified several command and control servers hosted on compromised infrastructure across Eastern Europe and Southeast Asia. The attackers employ sophisticated operational security tactics, such as rapid server rotation and geofenced access controls that trigger self-destruction mechanisms when accessed from unauthorized IP addresses. These measures make attribution challenging, but cybersecurity experts have linked Moonstone Sleet to North Korean cyber operations based on code similarities, shared command infrastructure with past campaigns, and attack patterns aligned with financial motives.
Furthermore, researchers discovered timing mechanisms within the ransomware that prevent execution during working hours in the UTC+9 time zone, a characteristic frequently observed in North Korean-linked malware strains. These findings reinforce the attribution to state-backed cyber units operating from Pyongyang.
In response to this threat, security professionals strongly advise organizations to adopt robust cybersecurity measures, including advanced email filtering, regular offline backups, application control solutions, and continuous monitoring for indicators of compromise. Threat intelligence vendors have begun distributing relevant security alerts and signatures to assist organizations in defending against this evolving ransomware campaign.
