South Korea’s financial sector has been the target of a sophisticated supply chain attack, resulting in the widespread deployment of Qilin ransomware. This operation, dubbed “Korean Leaks” by the perpetrators, combined the capabilities of the active Ransomware-as-a-Service (RaaS) group Qilin with potential involvement from North Korean state-affiliated actors, identified as Moonstone Sleet, utilizing a Managed Service Provider (MSP) compromise as the initial entry point.
The cybersecurity firm Bitdefender, in a report shared with The Hacker News, detailed the findings of their investigation. The analysis was prompted by an unusual surge in ransomware victims from South Korea observed in September 2025. During this period, South Korea became the second most affected country by ransomware attacks, with 25 reported cases, a significant increase from the average of approximately two victims per month observed between September 2024 and August 2025. Further investigation revealed that all 25 of these cases were exclusively attributed to the Qilin ransomware group, with a striking 24 victims operating within the financial sector.
Qilin Ransomware and “Korean Leaks” Operation
Qilin has emerged as a prominent threat actor in 2025, experiencing what cybersecurity researchers describe as “explosive growth,” particularly in October 2025, when the RaaS group claimed over 180 victims. Data from NCC Group indicates that Qilin is responsible for approximately 29% of all ransomware attacks globally. While the origins of the Qilin operation are believed to be Russian, the group characterizes itself as “political activists” and “patriots of the country.” They operate under a traditional affiliate model, recruiting various hackers to carry out attacks in exchange for a commission of up to 20% of any illicit payments made.
A notable affiliate in this ecosystem is a North Korean threat actor tracked by researchers as Moonstone Sleet. Microsoft has previously documented Moonstone Sleet’s deployment of a custom ransomware variant named FakePenny in an attack targeting an unnamed South Korean defense technology company in April 2024. A significant strategic shift was observed in February of the current year, when this adversary began delivering Qilin ransomware to a limited number of organizations. While it remains unconfirmed whether these recent attacks were directly executed by Moonstone Sleet, the targeting of South Korean businesses aligns with the known strategic objectives of North Korean state-sponsored cyber operations.
Tactics, Techniques, and Procedures
The “Korean Leaks” campaign unfolded in three distinct publication waves, resulting in the exfiltration of over one million files, totaling approximately 2 terabytes of data, from 28 distinct victims. Bitdefender noted that victim posts associated with four other entities were subsequently removed from the data leak site (DLS), suggesting potential resolutions through ransom negotiations or adherence to an internal policy.
The three publication waves were structured as follows: Wave 1, published on September 14, 2025, comprised 10 victims from the financial management sector. Wave 2, released between September 17 and 19, 2025, included nine victims. The third and final wave, published from September 28 to October 4, 2025, also consisted of nine victims.
An unconventional aspect of these leaks was the attackers’ departure from standard extortion tactics. Instead, there was a pronounced emphasis on propaganda and political messaging. Bitdefender observed that the initial wave was framed as a public-service initiative to expose systemic corruption, with threats to release files that could serve as “evidence of stock market manipulation” and name “well-known politicians and businessmen in Korea.”
Subsequent waves escalated these threats, suggesting that the release of stolen data could pose severe risks to the Korean financial market. The actors also explicitly called upon South Korean authorities to investigate the matter, citing the nation’s stringent data protection laws. During the third wave, a noticeable shift in messaging occurred. Although the campaign initially maintained the theme of a potential national financial crisis stemming from data exposure, it eventually transitioned to language that more closely resembled Qilin’s typical financially motivated extortion messages.
Given that Qilin advertises an “in-house team of journalists” to assist its affiliates with drafting blog posts and facilitating negotiations, it is assessed that the core members of the Qilin operation were likely responsible for the content published on the DLS. However, Bitdefender clarified that while these core operators controlled the final draft, it does not preclude the affiliate from having significant input on the key messaging and overall direction of the content. The phraseology in the posts contained several of the core operator’s characteristic grammatical inconsistencies.
Supply Chain Compromise and Mitigation Strategies
The execution of these attacks was facilitated by a single upstream Managed Service Provider (MSP) that was breached. This compromise granted the Qilin affiliate access to multiple victims simultaneously. On September 23, 2025, the Korea JoongAng Daily reported that over 20 asset management companies in the country were infected with ransomware following the compromise of GJTec, an MSP.
To counter such sophisticated supply chain attacks, organizations are urged to implement robust cybersecurity measures. These include enforcing Multi-Factor Authentication (MFA) across all systems, adhering to the Principle of Least Privilege (PoLP) to restrict user access, segmenting critical systems and sensitive data to limit lateral movement, and proactively taking steps to reduce the overall attack surface.
The MSP compromise that served as the entry point for the “Korean Leaks” operation underscores a significant vulnerability in current cybersecurity strategies. Bitdefender highlighted that exploiting a vendor, contractor, or MSP with established access to multiple businesses presents a more prevalent and effective route for RaaS groups seeking to compromise numerous victims in a clustered manner.
The ongoing threat posed by sophisticated ransomware operations like Qilin, especially when coupled with state-sponsored actor involvement and the exploitation of supply chain vulnerabilities, necessitates continuous vigilance and adaptation of defensive strategies. The focus on MSPs as a critical pivot point for attacks indicates a trend that organizations must anticipate and address to prevent widespread data breaches and financial disruption.