Executive Summary

Between August and October 2025, the Qilin ransomware group executed a large-scale, coordinated supply chain attack against South Korea’s financial sector, resulting in the compromise of at least 28 organizations, primarily asset management and financial services firms. The attackers leveraged a single domestic Managed Service Provider (MSP) as the initial access vector, enabling rapid, parallel deployment of ransomware across multiple victims. Over 1 million files and at least 2TB of sensitive data were exfiltrated and posted on Qilin’s dark web leak site as part of a double-extortion strategy. The campaign, dubbed “Korean Leaks,” was notable for its speed, sectoral focus, and the blending of criminal and geopolitical motives, with evidence suggesting the involvement of North Korean state-affiliated actors (Moonstone Sleet) as affiliates of the Qilin Ransomware-as-a-Service (RaaS) platform. The incident highlights critical vulnerabilities in third-party risk management and demonstrates the increasing convergence of financially motivated cybercrime and state-sponsored activity. All technical details, timelines, and attributions in this report are based on direct evidence from primary sources, with confidence levels and evidence quality assessed throughout. [Bitdefender: https://businessinsights.bitdefender.com/korean-leaks-campaign-targets-south-korean-financial-services-qilin-ransomware] [SecurityBrief Asia: https://securitybrief.asia/story/qilin-ransomware-targets-25-korean-finance-firms-in-cyber-surge] [The Hacker News: https://thehackernews.com/]

Technical Information

The “Korean Leaks” campaign represents a sophisticated supply chain attack, exploiting the trust and access privileges of a domestic MSP to compromise a cluster of South Korean financial organizations. The attack chain began with the compromise of the MSP, which provided IT management services to numerous asset management and financial services firms. This allowed the attackers to bypass individual perimeter defenses and deploy the Qilin ransomware payloads in a coordinated fashion.

Qilin operates as a Ransomware-as-a-Service (RaaS) platform, where core operators provide the malware, infrastructure, and branding, while affiliates—external contractors—conduct the intrusions and attacks. In this campaign, the affiliate group Moonstone Sleet, linked to North Korean state interests, reportedly participated, blending traditional cybercrime with state-sponsored espionage and disruption. This partnership enabled the attackers to pursue both financial gain and broader geopolitical objectives, such as destabilizing South Korea’s financial sector and leveraging reputational and regulatory pressure.

The technical attack sequence, mapped to the MITRE ATT&CK framework, is as follows:

Initial access was achieved via T1195: Supply Chain Compromise (https://attack.mitre.org/techniques/T1195/), exploiting the MSP’s privileged access to client environments. Post-compromise, the attackers likely used T1078: Valid Accounts to move laterally and maintain persistence within victim networks, leveraging legitimate credentials and management tools. The Qilin ransomware payload was then deployed, encrypting data for impact (T1486: Data Encrypted for Impact), and in some cases, inhibiting system recovery (T1490: Inhibit System Recovery) by deleting backups or shadow copies.

Prior to encryption, the attackers exfiltrated large volumes of sensitive data, including financial documents and client records, using techniques such as T1041: Exfiltration Over C2 Channel and T1657: Data Staged. The exfiltrated data was subsequently posted on Qilin’s private leak site on the dark web, serving as leverage in a double-extortion scheme. The attackers provided public proof of the breach by sharing nearly 300 photos of exfiltrated documents, although the full scope of each leak remains incompletely documented. In aggregate, over 1 million files and at least 2TB of data were confirmed stolen, with the true total likely higher due to incomplete reporting for many victims.

The campaign unfolded in three distinct waves: the first wave on September 14, 2025, targeted 10 financial sector victims; the second wave between September 17 and 19 added 9 more; and the third wave from September 28 to October 4 compromised an additional 9 organizations. An unusual aspect of the campaign was the subsequent removal of several victim posts from the leak site, suggesting successful negotiations or internal policy changes among the attackers.

The attackers’ communications included both conventional ransom demands and political messaging, threatening the stability of South Korea’s financial sector and calling for investigations into alleged corruption. Early campaign posts referenced North Korean interests directly, but later messaging focused exclusively on South Korean firms, possibly reflecting shifting priorities among the criminal partners.

Attribution to Qilin is supported by technical artifacts, operational patterns, and public leak site activity. The involvement of Moonstone Sleet as an affiliate is based on industry reporting and public statements, with medium confidence due to the absence of direct technical artifacts in the public domain. The use of the MSP as the initial access vector is confirmed by multiple primary sources and industry press, with high confidence.

The campaign’s sectoral focus is highly unusual for ransomware operations, which have historically targeted Western financial institutions. The sudden spike in attacks on South Korean financial services highlights the global adaptability of RaaS operations and the critical importance of third-party risk management.

Affected Versions & Timeline

The attack did not exploit a specific software vulnerability or product version, but rather targeted organizations through their relationship with a single domestic MSP. All known victims were clients of this MSP, which managed IT infrastructure for asset management and financial services firms in South Korea.

The confirmed campaign timeline is as follows:

On August 20, 2025, pre-campaign messaging appeared on the Qilin leak site, referencing North Korean interests and targeting a construction industry victim. The first wave of financial sector victims was posted on September 14, 2025, with 10 organizations listed. The second wave occurred between September 17 and 19, 2025, adding 9 more victims. The third wave, from September 28 to October 4, 2025, compromised an additional 9 organizations. On October 22, 2025, a new financial services victim was posted with over 1TB of exfiltrated data, but this post was removed after one day, an unusual deviation from typical ransomware group behavior.

In total, 33 victims were claimed, with 28 currently public. The campaign’s rapid progression and clustering of victims within a narrow sectoral niche strongly indicate that the MSP compromise was the root cause, enabling simultaneous attacks across multiple organizations.

Threat Activity

The “Korean Leaks” campaign was characterized by its speed, scale, and sectoral focus. The attackers exploited the MSP’s privileged access to deploy the Qilin ransomware payloads across at least 28 organizations, primarily in the asset management and financial services sectors. The campaign’s double-extortion strategy involved both encrypting victim data and exfiltrating sensitive information for public release on the Qilin leak site.

The attackers’ communications combined financial extortion with political messaging, threatening the reputation and stability of South Korea’s financial sector and calling for regulatory and journalistic investigations. This approach amplified the pressure on victims and increased the potential impact of the campaign.

The involvement of Moonstone Sleet, a North Korean state-affiliated group, as a Qilin affiliate, introduced a geopolitical dimension to the attack, blurring the lines between financially motivated cybercrime and state-sponsored espionage or disruption. The campaign’s focus on South Korean financial institutions, rather than the more typical Western targets, represents a significant shift in ransomware targeting patterns.

The removal of several victim posts from the leak site suggests that some organizations may have negotiated with the attackers or that internal policy changes occurred within the Qilin operation. The lack of detailed data metrics for many victims complicates efforts to fully assess the scope of the data theft, but the confirmed exfiltration of over 1 million files and at least 2TB of data underscores the campaign’s severity.

Mitigation & Workarounds

Mitigation efforts should prioritize the following actions, ranked by severity:

Critical: Organizations using third-party MSP or IT service providers must immediately review and restrict the scope of privileged access granted to these vendors. Implement strict network segmentation, least-privilege access controls, and continuous monitoring of all third-party activity. Require MSPs to adhere to robust security standards, including multi-factor authentication, endpoint detection and response (EDR), and regular security audits.

High: Conduct a comprehensive review of all remote access mechanisms, including VPNs, RDP, and management consoles, to ensure they are secured with strong authentication and monitored for anomalous activity. Audit all privileged accounts and disable or rotate credentials that are no longer required or may have been exposed.

High: Ensure that all sensitive data is encrypted at rest and in transit, and that regular, tested backups are maintained offline or in immutable storage. Implement rapid incident response protocols to isolate affected systems and prevent lateral movement in the event of a compromise.

Medium: Provide targeted security awareness training for staff, emphasizing the risks associated with third-party vendors and the importance of reporting suspicious activity. Review and update incident response and business continuity plans to account for supply chain attacks and double-extortion ransomware scenarios.

Medium: Engage in regular tabletop exercises with MSPs and other critical vendors to test coordinated response capabilities and identify gaps in communication or escalation procedures.

Low: Monitor dark web and leak sites for evidence of data exposure related to your organization, and prepare public relations and regulatory response plans in advance.

These recommendations are based on the confirmed attack vector, campaign tactics, and sectoral focus observed in the “Korean Leaks” incident. Organizations should also consider engaging with national cybersecurity authorities and industry information sharing groups to stay informed of emerging threats and best practices.

References

Bitdefender: https://businessinsights.bitdefender.com/korean-leaks-campaign-targets-south-korean-financial-services-qilin-ransomware SecurityBrief Asia: https://securitybrief.asia/story/qilin-ransomware-targets-25-korean-finance-firms-in-cyber-surge The Hacker News: https://thehackernews.com/

About Rescana

Rescana provides a Third-Party Risk Management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with external vendors, including MSPs and IT service providers. Our platform enables continuous visibility into third-party security posture, supports automated risk assessments, and facilitates rapid response to supply chain threats. For questions or further information, contact us at ops@rescana.com.