South Korea’s financial sector has been targeted by what is described as an advanced supply chain attack that led to the deployment of Qilin ransomware.
“This operation combines the capabilities of Qilin, a leading Ransomware-as-a-Service (RaaS) group, with the potential involvement of North Korean state-affiliated actors (Moonstone Sleet), which utilized Managed Service Provider (MSP) compromises as an initial access vector,” Bitdefender said in a report shared with The Hacker News.
Qilin has emerged as one of the most active ransomware campaigns this year, with the RaaS team showing “explosive growth” with over 180 victims in October 2025. According to NCC Group data, the group is responsible for 29% of all ransomware attacks.
A Romanian cybersecurity company said it decided to investigate deeper after revealing an unusual spike in ransomware victims from South Korea in September 2025. South Korea became the second most affected country by ransomware after the United States, with 25 cases, a significant increase from the average of about 2 cases per month from September 2024 to August 2025.
Further analysis revealed that all 25 ransomware incidents were attributed to the Qilin ransomware group, and 24 of the victims were in the financial sector. The campaign was nicknamed “Korea Leaks” by the attackers themselves.
Although Kirin’s origins are likely Russian, the group describes itself as “political activists” and “patriots of the country.” It follows a traditional affiliate model, recruiting a diverse group of hackers to carry out attacks in exchange for a small amount of up to 20% of fraudulent payments.
One notable affiliate is the North Korean threat actor tracked as Moonstone Sleet. According to Microsoft, the attacker introduced a custom ransomware variant called FakePenny in an attack that targeted an anonymous defense technology company in April 2024.
Then, in early February of this year, a big change occurred when attackers were observed delivering Qilin ransomware to a limited number of organizations. It is not exactly clear whether the latest round of attacks were indeed carried out by this hacker group, but targeting South Korean companies is consistent with its strategic goals.
The Korean leak occurred over three waves of publication and stole over 1 million files and 2 TB of data from 28 victims. Bitdefender said victim posts associated with four other entities were removed from the data leak site (DLS), and that these posts may have been removed pursuant to either ransom negotiations or its own internal policies.
The three waves are:
Wave 1 of 10 victims of the Department of Financial Management published on September 14, 2025 Wave 3 of 9 victims published from September 17 to 19, 2025 Wave 3 of 9 victims published from September 28 to October 4, 2025
What is unusual about these breaches is that they depart from established tactics of putting pressure on compromised organizations and instead rely heavily on propaganda and political language.
“The entire campaign was framed as a public service effort to expose systemic corruption, as exemplified by threats to release files that could be ‘evidence of stock market manipulation’ and the names of ‘prominent South Korean politicians and businessmen,’” Bitdefender said of the first wave of the campaign.
Since then, the threat has escalated further, with data leaks potentially posing a serious risk to South Korea’s financial markets. The performers also requested South Korean authorities to investigate the incident, citing strict data protection laws.
In the third wave, further changes in messaging were observed, with the group initially continuing the same theme of national financial crisis due to disclosure of stolen information, but then switching to language that “more closely resembles Qilin’s typical financial extortion messages.”
Core members of the group are credited with being behind the release of the DLS document, given that Qilin boasts an “in-house team of journalists” who help write affiliate blog posts and apply pressure during negotiations.
“The post contains several grammatical inconsistencies characteristic of core operators,” Bitdefender said. “However, this control over the final draft does not mean that its affiliates do not have a critical say in the key messages or overall direction of the content.”
To carry out these attacks, Qilin affiliates allegedly compromised a single upstream managed service provider (MSP) and used that access to compromise multiple victims at once. On September 23, 2025, the Korea JoongAng Ilbo reported that more than 20 domestic asset management companies were infected with ransomware due to the GJTec breach.
To mitigate these risks, it is imperative that organizations take proactive steps to enforce multi-factor authentication (MFA), apply the principle of least privilege (PoLP) to restrict access, segment critical systems and sensitive data, and reduce attack surfaces.
“The MSP breach that led to Operation KoreaLeaks highlights a significant blind spot in the cybersecurity debate,” Bitdefender said. “Exploiting vendors, contractors, or MSPs with access to other businesses is a more common and viable option for RaaS groups looking for clustered victims.”
Source link
