{ "id": "f00553bc-560e-47e6-83d5-7d41779f23d0", "created_at": "2026-04-06T03:35:35.062594Z", "updated_at": "2026-04-10T13:11:47.853875Z", "deleted_at": null, "sha1_hash": "89f6d3af10cdef812f49efbb0d5c8e776288ff69", "title": "A New North Korean Group Emerges, Disrupting the Open-Source Ecosystem", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1582476, "plain_text": "A New North Korean Group Emerges, Disrupting the Open-Source\r\nEcosystem\r\nBy Tzachi Zornstein\r\nPublished: 2024-06-13 · Archived: 2026-04-06 02:58:22 UTC\r\nResearch by Tzachi Zornstein and Yehuda Gelb\r\nIn December 2023, we reported on how North Korean threat actors, particularly Jade Sleet, have been\r\ncompromising supply chains through the open-source ecosystem, with one of their key tactics being the\r\nexploitation of the public npm registry to distribute malicious packages. Despite the increased exposure and\r\nattention brought to this issue by our research and that of others in the field, it is evident that these attackers\r\nremain undeterred.  \r\nThroughout the first and even second quarter of 2024, we observed the continued publication of malicious\r\npackages on NPM, bearing striking similarities to those detailed in our previous blog post. Initially, we believed\r\nthese packages to be a continuation of Jade Sleet’s campaign in late spring and early summer of 2023. However,\r\nnew information came to light, making it apparent that a new threat actor was emerging on the scene. \r\nKey Points \r\nhttps://checkmarx.com/blog/a-new-north-korean-group-emerges-disrupting-the-open-source-ecosystem/\r\nPage 1 of 6\n\nMoonstone Sleet, a newly identified North Korean threat actor, has entered the scene, targeting the open-source software supply chain with tactics similar to other well-known North Korean groups. \r\nAmong Moonstone Sleet’s key tactics is the distribution of malware through malicious NPM packages,\r\nwhich are published on the public NPM registry, exposing a wide range of developers to potential\r\ncompromise. \r\nThe ongoing activities of Moonstone Sleet, Jade Sleet, and other North Korean state-sponsored actors\r\nunderscore the constant threat to the open-source ecosystem. \r\nRecent Developments: \r\nIn a recent publication, Microsoft shed light on a new rising North Korean threat actor named Moonstone Sleet,\r\nwhich employs various tactics, techniques, and procedures (TTPs) to target companies for financial gain and\r\ncyberespionage. With much of These TTPs utilized by Moonstone Sleet closely resemble those employed by other\r\nNorth Korean threat actors \r\nA number of IOCs shared in Microsoft’s blog closely resemble those mentioned in our December blog post\r\nand recent publications by Phylum. showing that, in addition to delivering malicious npm packages through\r\nfreelancing websites and platforms like LinkedIn, Moonstone Sleet has also been attempting to spread their\r\nmalicious packages through the public npm registry. \r\nThis tactic allows them to potentially reach a wider audience and increases the likelihood of their malicious\r\npackages being installed by unsuspecting developers. \r\nDifferences in Code Style and Structure \r\nThe malicious npm packages discovered during the apring and early summer of 2023, affiliated with Jade Sleet,\r\nand those found in late 2023 to early 2024, containing IOCs linking them to the Moonstone Sleet group, exhibit\r\ndistinct code style and structure differences. These differences offer interesting insights into the varying strategies\r\nused by different groups when targeting the open-source software supply chain. \r\nPackages attributed to Jade Sleet \r\nJade Sleet’s packages, discovered throughout summer 2023, were designed to work in pairs, with each pair being\r\npublished by a separate npm user account to distribute their malicious functionality. This approach was used in an\r\nattempt to make it more challenging to detect and trace the malicious activity back to a single source. \r\nThe first package in the pair was responsible for creating a directory on the victim’s machine, fetching updates\r\nfrom a remote server, and saving them in a file within the newly created directory. This package laid the\r\ngroundwork for the second package to execute its malicious payload. \r\nhttps://checkmarx.com/blog/a-new-north-korean-group-emerges-disrupting-the-open-source-ecosystem/\r\nPage 2 of 6\n\nCode of the first package in the pair \r\nThe second package, upon execution, would read a token from the file created by the first package. It would then\r\nmake a request to a specific URL, passing the token as a parameter. The response from this request, likely\r\ncontaining additional malicious code, would be written to another file on the victim’s machine. Finally, the second\r\npackage would immediately execute this newly written file as a Node.js script, unleashing the full extent of the\r\nmalicious functionality. \r\nhttps://checkmarx.com/blog/a-new-north-korean-group-emerges-disrupting-the-open-source-ecosystem/\r\nPage 3 of 6\n\nCode of second package in pair \r\nPackages attributed to Moonstone Sleet \r\nIn contrast, the packages published throughout late 2023 and early 2024 adopted a more streamlined single-package approach which would execute its payload immediately upon installation. \r\nThe malicious payload was encoded within string constants and included OS-specific code, executing only if it\r\ndetected that it was running on a Windows machine. \r\nPackages published in the last quarter of 2023 and the first quarter of 2024 shared significant similarities, with\r\nonly minor variations in file names, URLs, and decryption keys. \r\nDespite these minor changes, the malicious payload’s overall structure and functionality remain largely the same,\r\nindicating that the attackers are relying on a proven technique while making small modifications to evade\r\ndetection: \r\nMalicious Payload Execution: \r\nhttps://checkmarx.com/blog/a-new-north-korean-group-emerges-disrupting-the-open-source-ecosystem/\r\nPage 4 of 6\n\nThe malicious payload downloads a file from a remote server, decrypts it using a byte-wise XOR operation,\r\nrenames the decrypted file, and executes it using rundll32. It then cleans up by deleting the temporary files and\r\nreplacing the malicious package.json with a clean version. \r\nOverall structure of malicious code \r\nChanges in the Attack Flow in Second Quarter of 2024 \r\nhttps://checkmarx.com/blog/a-new-north-korean-group-emerges-disrupting-the-open-source-ecosystem/\r\nPage 5 of 6\n\nIn the second quarter of 2024, the packages increased in complexity, with the attackers adding obfuscation and\r\nhaving it target Linux systems as well. The following code would be executed if the OS was detected as Linux: \r\nFor a more detailed explanation of how the various packages operate, you can refer to our past publications. \r\nBlog post describing Jade Sleet – attributed packages. \r\nBlog post describing the Moonstone Sleet – attributed packages \r\nConclusion \r\nThe frequent publication of malicious packages on npm by North Korean threat actors underscores the persistent\r\nnature of their campaign. By continually adapting their tactics and techniques, they aim to evade detection and\r\nenhance their odds of breaching targeted systems. \r\nWith the revelation of this new North Korean group, coupled with the recent attacks by Russian and North Korean\r\nthreat actors and the recent high-profile XZ attack, it has become increasingly apparent that the open-source\r\necosystem has become a prime target for powerful and sophisticated adversaries. And while the open-source\r\ncommunity plays a crucial role in maintaining the security and integrity of the ecosystem, the primary\r\nresponsibility for ensuring the safety of the software supply chain lies with the companies that consume these\r\npackages.  \r\nAs the fight against malicious actors in the open-source ecosystem persists, collaboration and information sharing\r\namong the security community will be critical in identifying and thwarting these attacks. Through collective effort\r\nand proactive measures, we can work towards a safer and more secure open-source ecosystem for all. \r\nSource: https://checkmarx.com/blog/a-new-north-korean-group-emerges-disrupting-the-open-source-ecosystem/\r\nhttps://checkmarx.com/blog/a-new-north-korean-group-emerges-disrupting-the-open-source-ecosystem/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://checkmarx.com/blog/a-new-north-korean-group-emerges-disrupting-the-open-source-ecosystem/" ], "report_names": [ "a-new-north-korean-group-emerges-disrupting-the-open-source-ecosystem" ], "threat_actors": [ { "id": "45e6e2b3-43fe-44cd-8025-aea18a7f488f", "created_at": "2024-06-20T02:02:09.897489Z", "updated_at": "2026-04-10T02:00:04.769917Z", "deleted_at": null, "main_name": "Moonstone Sleet", "aliases": [ "Storm-1789", "Stressed Pungsan" ], "source_name": "ETDA:Moonstone Sleet", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "0106b19a-ac99-4bc9-90b9-4647bfc5f3ce", "created_at": "2023-11-08T02:00:07.144995Z", "updated_at": "2026-04-10T02:00:03.425891Z", "deleted_at": null, "main_name": "TraderTraitor", "aliases": [ "Pukchong", "Jade Sleet", "UNC4899" ], "source_name": "MISPGALAXY:TraderTraitor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "28523c53-1944-4ff0-bbdc-89b06e4e3c84", "created_at": "2024-11-01T02:00:52.752463Z", "updated_at": "2026-04-10T02:00:05.359782Z", "deleted_at": null, "main_name": "Moonstone Sleet", "aliases": [ "Moonstone Sleet", "Storm-1789" ], "source_name": "MITRE:Moonstone Sleet", "tools": [ "Qilin" ], "source_id": "MITRE", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446535, "ts_updated_at": 1775826707, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/89f6d3af10cdef812f49efbb0d5c8e776288ff69.pdf", "text": "https://archive.orkl.eu/89f6d3af10cdef812f49efbb0d5c8e776288ff69.txt", "img": "https://archive.orkl.eu/89f6d3af10cdef812f49efbb0d5c8e776288ff69.jpg" } }