The "Korean Leaks" campaign has emerged as one of the most sophisticated supply chain attacks in recent memory, primarily targeting South Korea’s financial sector.
Qilin Ransomware and North Korean Involvement
This operation combined the capabilities of the Qilin Ransomware as a Service (RaaS) group with potential involvement from North Korean state affiliated actors known as Moonstone
Sleet. The attackers leveraged a compromised Managed Service Provider (MSP) as their initial access vector, allowing them to breach multiple organizations through a single point of entry.
In September 2025, South Korea saw an unusual spike in ransomware activity, suddenly becoming the second most targeted country with 25 victims claimed in one month. This spike was attributed almost exclusively to Qilin, which focused heavily on asset management firms within the financial services sector.
Bitdefender security researchers noted that Qilin operates like a gig economy, where core operators handle infrastructure and software for a 15% to 20% cut, while affiliates execute the actual hacking for the majority of the profits.
The most concerning element of the campaign is the reported early 2025 partnership between Qilin and Moonstone Sleet, a group tied directly to North Korea. This collaboration blurs the lines between traditional cybercrime and state sponsored espionage.
Attack Waves and Vector
The attackers rolled out their campaign in three distinct waves. The first wave released ten victims on September 14, 2025, initially framing the attacks as a public service effort to expose systemic corruption. The second wave escalated threats against the entire Korean stock market, and the third concluded with nine additional victims before reverting to standard extortion messaging.
Root cause analysis confirmed the tight clustering of victims within a single financial niche. Press reports on September 23, 2025, verified that over 20 asset management firms were compromised after their servers were hacked through a common domestic IT service provider. This MSP compromise granted the attackers simultaneous access to multiple client networks, explaining the precision and speed of the attack waves.
Documented cases confirm the theft of over 1 million files and 2 TB of data from the 33 total victims. Defense recommendations include implementing multi factor authentication, network segmentation, and adopting EDR/XDR/MDR solutions to minimize adversary dwell time.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
