Threat Actor Profile
High APT
Description

Moonstone Sleet is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. The group previously overlapped significantly with another North Korean-linked entity, Lazarus Group, but has differentiated its tradecraft since 2023. Moonstone Sleet is notable for creating fake companies and personas to interact with victim entities, as well as developing unique malware such as a variant delivered via a fully functioning game.(Citation: Microsoft Moonstone Sleet 2024)

Confidence Score
90%
Known Aliases
Moonstone Sleet Storm-1789
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (30)
T1071.001 - Web Protocols
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1003.001 - LSASS Memory
Credential Access
T1027 - Obfuscated Files or Information
Defense Evasion
T1027.009 - Embedded Payloads
Defense Evasion
T1027.013 - Encrypted/Encoded File
Defense Evasion
T1140 - Deobfuscate/Decode Files or Information
Defense Evasion
T1016 - System Network Configuration Discovery
Discovery
T1033 - System Owner/User Discovery
Discovery
T1082 - System Information Discovery
Discovery
T1217 - Browser Information Discovery
Discovery
T1053.005 - Scheduled Task
Execution
T1204.002 - Malicious File
Execution
T1569.002 - Service Execution
Execution
T1486 - Data Encrypted for Impact
Impact
T1195.002 - Compromise Software Supply Chain
Initial Access
T1566.001 - Spearphishing Attachment
Initial Access
T1566.003 - Spearphishing via Service
Initial Access
T1547.001 - Registry Run Keys / Startup Folder
Persistence
T1589.002 - Email Addresses
Reconnaissance
T1591 - Gather Victim Org Information
Reconnaissance
T1598 - Phishing for Information
Reconnaissance
T1598.003 - Spearphishing Link
Reconnaissance
T1583.001 - Domains
Resource Development
T1583.003 - Virtual Private Server
Resource Development
T1585.001 - Social Media Accounts
Resource Development
T1585.002 - Email Accounts
Resource Development
T1587 - Develop Capabilities
Resource Development
T1587.001 - Malware
Resource Development
T1608.001 - Upload Malware
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Moonstone Sleet', 'Storm-1789'],
 'created': '2024-08-26T17:39:06.020Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Moonstone Sleet](https://attack.mitre.org/groups/G1036) is a '
                'North Korean-linked threat actor executing both financially '
                'motivated attacks and espionage operations. The group '
                'previously overlapped significantly with another North '
                'Korean-linked entity, [Lazarus '
                'Group](https://attack.mitre.org/groups/G0032), but has '
                'differentiated its tradecraft since 2023. [Moonstone '
                'Sleet](https://attack.mitre.org/groups/G1036) is notable for '
                'creating fake companies and personas to interact with victim '
                'entities, as well as developing unique malware such as a '
                'variant delivered via a fully functioning game.(Citation: '
                'Microsoft Moonstone Sleet 2024)',
 'external_references': [{'external_id': 'G1036',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G1036'},
                         {'description': '(Citation: Microsoft Moonstone Sleet '
                                         '2024)',
                          'source_name': 'Storm-1789'},
                         {'description': 'Microsoft Threat Intelligence. '
                                         '(2024, May 28). Moonstone Sleet '
                                         'emerges as new North Korean threat '
                                         'actor with new bag of tricks. '
                                         'Retrieved August 26, 2024.',
                          'source_name': 'Microsoft Moonstone Sleet 2024',
                          'url': 'https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/'}],
 'id': 'intrusion-set--e6db1e55-b199-4b6b-8633-989345ee45e0',
 'modified': '2024-10-01T11:51:31.065Z',
 'name': 'Moonstone Sleet',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Aung Kyaw Min Naing, @Nolan'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.0'}
Quick Actions
Related TTPs (30)
Web Protocols
Command and Control
Ingress Tool Transfer
Command and Control
LSASS Memory
Credential Access
Obfuscated Files or Informati…
Defense Evasion
Embedded Payloads
Defense Evasion
View All 30 TTPs
Back to Threat Actors
Dashboard Home