A sophisticated supply chain attack has targeted South Korea’s financial sector, resulting in the deployment of Qilin ransomware.
Bitdefender, in a report shared with The Hacker News, revealed that this operation involved the collaboration of the Ransomware-as-a-Service (RaaS) group, Qilin, potentially with the assistance of North Korean state-affiliated actors known as Moonstone Sleet. The attack utilized Managed Service Provider (MSP) compromise as the initial access point.
Qilin has gained prominence as a leading ransomware operation in 2025, witnessing significant growth in October by victimizing over 180 entities. NCC Group data indicates that the group is responsible for 29% of all ransomware attacks.
Following a surge in ransomware incidents in South Korea in September 2025, Bitdefender delved deeper into the matter, discovering that all 25 cases were linked to the Qilin ransomware group, with the majority of victims belonging to the financial sector. The campaign was dubbed “Korean Leaks” by the attackers.
Although Qilin’s origins are believed to be Russian, the group portrays itself as “political activists” and “patriots.” It operates on an affiliate model, recruiting hackers to carry out attacks in exchange for a share of the ransom payments.
Notably, a North Korean threat actor identified as Moonstone Sleet has been associated with Qilin, having deployed a custom ransomware variant called FakePenny in an attack on a defense technology company in April 2024.
In a significant development this February, the group shifted its focus to delivering Qilin ransomware to a limited number of organizations, aligning with its strategic objectives of targeting South Korean businesses.
The Korean Leaks operation unfolded in three waves, resulting in the theft of over 1 million files and 2 TB of data from 28 victims. Bitdefender noted that posts related to four entities were removed from the data leak site, indicating potential ransom negotiations or internal policies.
The three waves included:
- Wave 1: 10 victims from the financial management sector, published on September 14, 2025
- Wave 2: Nine victims published between September 17 and 19, 2025
- Wave 3: Nine victims published between September 28 and October 4, 2025
Unlike conventional tactics of pressuring compromised organizations, Korean Leaks focused on propaganda and political messaging, framing the campaign as an effort to expose corruption within the Korean financial system.
Subsequent waves intensified the threat, warning of potential risks to the financial market and urging authorities to investigate, citing data protection laws.
The messaging evolved in the third wave, transitioning from a national crisis narrative to a financially motivated extortion approach typical of Qilin’s messages.
Qilin’s “in-house team of journalists” likely orchestrated the publication of the DLS text, retaining control over the content while incorporating affiliate input.
Bitdefender highlighted the operator’s grammatical inconsistencies in the posts, suggesting a core member’s involvement in crafting the messaging. However, affiliate input likely influenced the overall content direction.
The Qilin affiliate breached a single MSP to compromise multiple victims simultaneously, resulting in ransomware infections at over 20 asset management companies in South Korea following the compromise of GJTec.
To enhance cybersecurity posture, organizations should implement Multi-Factor Authentication (MFA), adhere to the Principle of Least Privilege (PoLP), segment critical systems and data, and proactively reduce attack surfaces.
Bitdefender emphasized the significance of addressing vendor and MSP vulnerabilities, as these are common routes for RaaS groups to target multiple victims.
