A complex cyber operation, involving a sophisticated supply chain attack, has severely impacted the South Korean financial sector through the deployment of Qilin ransomware. Cybersecurity firm Bitdefender indicated that this operation likely combined the offensive capabilities of the major Qilin Ransomware-as-a-Service (RaaS) group with the potential involvement of North Korean state-affiliated actors, specifically Moonstone Sleet. The initial point of entry for the attackers was identified as the compromise of a Managed Service Provider (MSP), a classic supply chain vector that enables widespread infection.
The Qilin RaaS group has rapidly established itself as a leading ransomware operation throughout the current year. Data from the NCC Group shows that the organization is now responsible for a significant 29% of all ransomware attacks globally. The group experienced an “explosive growth” in activity during October 2025 alone, claiming over 180 new victims. This rapid expansion highlights Qilin’s increasing threat level within the global cybersecurity landscape.
The investigation by the Romanian cybersecurity company was triggered by an unusual and sudden surge in ransomware victims within South Korea in September 2025. During that month, South Korea became the second-most affected country worldwide, reporting 25 cases, a massive increase compared to its prior average of only about two victims per month recorded between September 2024 and August 2025. This dramatic spike strongly suggested a focused and targeted campaign against the nation.
Detailed analysis of these 25 incidents revealed that every single case was exclusively attributed to the Qilin ransomware group. Of particular concern was the scope of the targeting: 24 of the 25 victims were concentrated within the financial sector. The perpetrators themselves acknowledged this specific targeting, internally naming the operation “Korean Leaks.” While the Qilin group is suspected to have Russian origins, its members publicly describe themselves as “patriots of the country” and “political activists.”
The group operates on a traditional affiliate model, recruiting numerous hackers who execute the attacks in exchange for a percentage of the illegal earnings, typically up to 20%. One notable affiliate is the North Korean state-sponsored threat actor tracked as Moonstone Sleet. This group was previously linked to deploying a custom ransomware variant named FakePenny in an April 2024 attack on a defense technology company. A major shift in the adversary’s tactics was observed in early February 2025, when the group began delivering the Qilin ransomware to a limited number of organizations. Although direct attribution for the latest wave of attacks remains challenging, the extensive targeting of South Korean businesses is highly consistent with Moonstone Sleet’s established strategic objectives.
Reference:
