G1036 · 30 ATT&CK techniques · 0 correlated reports

Moonstone Sleet

Aliases: Storm-1789

Moonstone Sleet is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. The group previously overlapped significantly with another North Korean-linked entity, Lazarus Group, but has differentiated its tradecraft since 2023. Moonstone Sleet is notable for creating fake companies and personas to interact with victim entities, as well as developing unique malware such as a variant delivered via a fully functioning game.

Open interactive actor investigation

ATT&CK techniques

T1587.001
Malware T1033
System Owner/User Discovery T1071.001
Web Protocols T1585.002
Email Accounts T1589.002
Email Addresses T1140
Deobfuscate/Decode Files or Information T1591
Gather Victim Org Information T1053.005
Scheduled Task T1547.001
Registry Run Keys / Startup Folder T1204.002
Malicious File T1566.001
Spearphishing Attachment T1027
Obfuscated Files or Information T1583.003
Virtual Private Server T1105
Ingress Tool Transfer T1016
System Network Configuration Discovery T1598.003
Spearphishing Link T1003.001
LSASS Memory T1608.001
Upload Malware T1598
Phishing for Information T1195.002
Compromise Software Supply Chain T1569.002
Service Execution T1583.001
Domains T1217
Browser Information Discovery T1566.003
Spearphishing via Service T1486
Data Encrypted for Impact T1585.001
Social Media Accounts T1587
Develop Capabilities T1082
System Information Discovery T1027.013
Encrypted/Encoded File T1027.009
Embedded Payloads

Correlated CTI and IR reports

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research