Moonstone Sleet | APT Profile

Description

[Moonstone Sleet](https://attack.mitre.org/groups/G1036) is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. The group previously overlapped significantly with another North Korean-linked entity, [Lazarus Group](https://attack.mitre.org/groups/G0032), but has differentiated its tradecraft since 2023. [Moonstone Sleet](https://attack.mitre.org/groups/G1036) is notable for creating fake companies and personas to interact with victim entities, as well as developing unique malware such as a variant delivered via a fully functioning game.(Citation: Microsoft Moonstone Sleet 2024)

Techniques Used (TTPs)

T1587.001 — Malware (resource-development)
T1033 — System Owner/User Discovery (discovery)
T1071.001 — Web Protocols (command-and-control)
T1585.002 — Email Accounts (resource-development)
T1589.002 — Email Addresses (reconnaissance)
T1140 — Deobfuscate/Decode Files or Information (defense-evasion)
T1591 — Gather Victim Org Information (reconnaissance)
T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
T1204.002 — Malicious File (execution)
T1566.001 — Spearphishing Attachment (initial-access)
T1027 — Obfuscated Files or Information (defense-evasion)
T1583.003 — Virtual Private Server (resource-development)
T1105 — Ingress Tool Transfer (command-and-control)
T1016 — System Network Configuration Discovery (discovery)
T1598.003 — Spearphishing Link (reconnaissance)
T1003.001 — LSASS Memory (credential-access)
T1608.001 — Upload Malware (resource-development)
T1598 — Phishing for Information (reconnaissance)
T1195.002 — Compromise Software Supply Chain (initial-access)
T1569.002 — Service Execution (execution)
T1583.001 — Domains (resource-development)
T1217 — Browser Information Discovery (discovery)
T1566.003 — Spearphishing via Service (initial-access)
T1486 — Data Encrypted for Impact (impact)
T1585.001 — Social Media Accounts (resource-development)
T1587 — Develop Capabilities (resource-development)
T1082 — System Information Discovery (discovery)
T1027.013 — Encrypted/Encoded File (defense-evasion)
T1027.009 — Embedded Payloads (defense-evasion)

Total TTPs: 30

← Return to Home ← Back to APT Search