South Korea’s financial sector now faces a sophisticated supply chain attack that directly targets it and ultimately deploys Qilin ransomware.
Bitdefender said in a report, “This operation combined the capabilities of a major Ransomware-as-a-Service (RaaS) group, Qilin, with potential involvement from North Korean state-affiliated actors (Moonstone Sleet), leveraging Managed Service Provider (MSP) compromise as the initial access vector.”
Qilin Group
Qilin emerged as one of the most active ransomware operations this year, and the RaaS crew demonstrated “explosive growth” in October 2025 by claiming over 180 victims. Furthermore, data from NCC Group shows that the group accounts for 29% of all ransomware attacks.
Because of this sudden surge, the Romanian cybersecurity company decided to dig deeper after it noticed an unusual spike in ransomware victims from South Korea in September 2025. During that month, South Korea became the second-most affected country after the U.S., with 25 cases—an abrupt rise compared to its average of about two victims per month between September 2024 and August 2025.
Upon further analysis, the company determined that Qilin exclusively carried out all 25 cases and that 24 victims belonged to the financial sector. The attackers themselves assigned the campaign the moniker Korean Leaks.
While Qilin’s origins are likely Russian, the threat actors openly describe themselves as “political activists” and “patriots of the country.” Moreover, the group operates a traditional affiliate model that recruits a diverse range of hackers and offers them up to 20% of the illicit payments.
Moonstone
One particular affiliate, a North Korean state-sponsored actor tracked as Moonstone Sleet, stands out. According to Microsoft, this actor deployed a custom ransomware variant called FakePenny in an April 2024 attack targeting an unnamed defense technology company.
Then, earlier this February, the adversary shifted tactics by delivering Qilin ransomware at a limited number of organizations. Although the latest attacks remain unconfirmed, the focus on South Korean businesses aligns with Moonstone Sleet’s strategic objectives.
Korean Leaks unfolded over three publication waves and resulted in the theft of over 1 million files and 2 TB of data from 28 victims. Victim posts associated with four additional entities later disappeared from the data leak site (DLS), suggesting either ransom negotiations or a unique internal policy, Bitdefender said.
The three waves are as follows –
- Wave 1, comprising 10 victims from the financial management sector that appeared on September 14, 2025
- Wave 2, comprising nine victims that appeared between September 17 and 19, 2025
- Wave 3, comprising nine victims that appeared between September 28 and October 4, 2025
An unusual aspect of these leaks involves a complete break from typical pressure-based extortion tactics. Instead, the actors lean heavily on propaganda and political messaging.
Bitdefender
Bitdefender said of the first wave of the campaign, “The entire campaign was framed as a public-service effort to expose systemic corruption, exemplified by the threats to release files that could be ‘evidence of stock market manipulation’ and names of ‘well-known politicians and businessmen in Korea.'”
Subsequent waves raised the pressure even further by claiming that the data leaks could trigger a severe crisis in the Korean financial market. The actors also urged South Korean authorities to investigate the case under stringent data protection laws.
During the third wave, the messaging shifted again. At first, the group continued using the same national-crisis narrative, but it soon pivoted to language that “more closely resembled Qilin’s typical, financially motivated extortion messages.”
Given that Qilin boasts of an “in-house team of journalists” who assist affiliates with crafting blog posts and applying negotiation pressure, analysts assess that core members of the group authored the DLS text.
Bitdefender said, “The posts contain several of the core operator’s signature grammatical inconsistencies. However, this control over the final draft does not mean the affiliate was excluded from having a critical say in the key messaging or overall direction of the content.”
To carry out these attacks, the Qilin affiliate breached a single upstream managed service provider (MSP) and used that access to compromise several victims simultaneously. On September 23, 2025, the Korea JoongAng Daily reported that ransomware infected more than 20 asset management companies following the compromise of GJTec.
To mitigate these risks, organizations must enforce Multi-Factor Authentication (MFA), apply the Principle of Least Privilege (PoLP), segment critical systems and sensitive data, and take proactive measures to reduce attack surfaces.
Bitdefender said, “The MSP compromise that triggered the ‘Korean Leaks’ operation highlights a critical blind spot in cybersecurity discussions. Exploiting a vendor, contractor, or MSP that has access to other businesses is a more prevalent and practical route that RaaS groups seeking clustered victims can take.”
Source: TheHackerNews
Read more at Impreza News
