Home/ Threat Actors/ Moonstone Sleet

🇰🇵Moonstone Sleet

🇰🇵 Moonstone Sleet is a tracked threat actor in the Clankerusecase corpus. KP-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 30 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1036) ↗

14Use cases

0Articles

30Techniques

0IOCs

About this actor (MITRE)

[Moonstone Sleet](https://attack.mitre.org/groups/G1036) is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. The group previously overlapped significantly with another North Korean-linked entity, [Lazarus Group](https://attack.mitre.org/groups/G0032), but has differentiated its tradecraft since 2023. [Moonstone Sleet](https://attack.mitre.org/groups/G1036) is notable for creating fake companies and personas to interact with victim entities, as well as developing unique malware such as a variant delivered via a fully functioning game.(Cit

Known aliases

Moonstone SleetStorm-1789

Top techniques

T1003.001 · LSASS Memory T1016 · System Network Configuration Discovery T1027 · Obfuscated Files or Information

All other tracked techniques

T1027.009 · Embedded Payloads T1027.013 · Encrypted/Encoded File T1033 · System Owner/User Discovery T1053.005 · Scheduled Task T1071.001 · Web Protocols T1082 · System Information Discovery T1105 · Ingress Tool Transfer T1140 · Deobfuscate/Decode Files or Information T1195.002 · Compromise Software Supply Chain T1204.002 · Malicious File T1217 · Browser Information Discovery T1486 · Data Encrypted for Impact T1547.001 · Registry Run Keys / Startup Folder T1566.001 · Spearphishing Attachment T1566.003 · Spearphishing via Service T1569.002 · Service Execution T1583.001 · Domains T1583.003 · Virtual Private Server T1585.001 · Social Media Accounts T1585.002 · Email Accounts T1587 · Develop Capabilities T1587.001 · Malware T1589.002 · Email Addresses T1591 · Gather Victim Org Information T1598 · Phishing for Information T1598.003 · Spearphishing Link T1608.001 · Upload Malware

Detection use cases (14)

Moonstone Sleet trojanized npm package — node/npm postinstall hook spawning network downloader AI · profile SΣ Moonstone Sleet fake-recruiter trojanized utility — signed binary from user-writable path with sideloaded DLL and immediate C2 AI · profile S Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Hook Spawns Scripting Interpreter Then Touches Credential Files or Egresses Off-Registry MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match