Introduction

Cybersecurity experts have recently identified a new ransomware threat named Moonstone Sleet, attributed to North Korean cybercriminal groups. This advanced ransomware targets primarily Windows systems using a sophisticated multi-stage attack vector that enables privilege escalation, credential theft, and devastating file encryption. This article dives deep into the technical details of Moonstone Sleet, its origins, implications for targeted sectors, especially those relying on Windows, and crucial recommendations for defense.

Background on Moonstone Sleet and Associated Threat Actors

Moonstone Sleet is linked to a known North Korean actor group, identified by cybersecurity firms as Storm-2460 or known in the ransomware context as RansomEXX. This group operates with high technical expertise, combining multiple exploits into a seamless attack chain.

Unlike common ransomware that exploits single vulnerabilities or social engineering, Moonstone Sleet riders on a freshly discovered Windows zero-day vulnerability known as CVE-2025-29824, a use-after-free bug in the Windows Common Log File System (CLFS). The group uses this exploit to escalate privileges from local user space to SYSTEM-level access, allowing deep system control.

Technical Anatomy of the Attack

The Moonstone Sleet ransomware attack involves several highly advanced steps:

  1. Initial Compromise: Using legitimate Windows utilities like INLINECODE0 , attackers download a malicious MSBuild file hosting an encrypted payload. This method leverages ‘living-off-the-land’ techniques to evade detection.
  2. Payload Execution: The encrypted payload decrypts and executes the PipeMagic malware, known for previous use in sophisticated attacks.
  3. Exploitation of CLFS Vulnerability: Leveraging the CVE-2025-29824 flaw, the attackers use kernel address leakage through the INLINECODE1 API and memory corruption via INLINECODE2 . This manipulation overwrites the process token, granting elevated privileges to the exploit process.
  4. Post-Exploitation Activities: With SYSTEM-level access achieved, Moonstone Sleet injects malicious code into critical Windows processes, such as INLINECODE3 , to maintain persistence and evade detection.
  5. Credential Harvesting: Tools like Sysinternals' INLINECODE4 dump memory from INLINECODE5 to harvest user credentials, facilitating lateral movement within the network.
  6. Ransomware Deployment: Files across the system are encrypted with random extensions, and the victim receives a ransom note, !READMEREXX2!.txt, containing links to Tor (.onion) domains for ransom payment instructions.
  7. Disabling Recovery: The malware executes commands that disable system recovery options and wipe logs to hinder incident response and forensic analyses.

This multifaceted exploitation and attack flow demonstrate the high level of planning and technical sophistication behind Moonstone Sleet.

Impacted Sectors and Global Reach

Moonstone Sleet has targeted diverse industries across multiple regions:

  • IT and Real Estate sectors in the United States: These sectors are at risk due to reliance on complex Windows ecosystems.
  • Financial Sector in Venezuela: Vulnerabilities in cyber defenses create fertile ground for ransomware impact.
  • Spanish Software Industry: Specialized businesses with focused operations are also targeted.
  • Retail Sector in Saudi Arabia: Which depends heavily on timely access to data and operational continuity.

Previous victims of Storm-2460 include high-profile companies and government bodies, underscoring the capability and persistence of this threat actor.

Implications and Security Recommendations

The Moonstone Sleet ransomware campaign reinforces several urgent cybersecurity imperatives:

  • Patch Management: Immediate application of Microsoft’s security updates addressing CVE-2025-29824 is critical. Notably, while Windows 11 version 24H2 is immune due to tightened system protections, other versions remain vulnerable.
  • Endpoint Detection: Employ advanced threat detection platforms like Microsoft Defender for Endpoint and leverage monitoring tools to detect artifacts such as suspicious BLF file creation (INLINECODE6 ) and anomalous command-line activities.
  • Credential Protection: Deploy multi-factor authentication (MFA), enforce least privilege principles, and monitor for unusual access to LSASS memory to prevent credential theft.
  • Incident Response Preparedness: Establish and regularly update incident response protocols, incorporating indicators of compromise (IOC) shared by cybersecurity agencies.
  • Network Segmentation and Monitoring: Limit lateral movement potential by segmenting networks and monitoring process injection and privilege escalations.

Conclusion

Moonstone Sleet exemplifies the rising sophistication of ransomware threats that blend zero-day exploits, living-off-the-land tactics, and multi-stage attack chains to compromise Windows systems. The attribution to North Korean actors highlights the geopolitical dimension of modern cyber threats.

Defenders must act swiftly to patch vulnerable systems, enhance monitoring, and implement comprehensive security frameworks to mitigate the potentially catastrophic impact of such ransomware. Staying vigilant and informed remains the best defense against this evolving threat landscape.