Overview
- Bitdefender’s analysis attributes the clustered intrusions to the Qilin RaaS and cites possible involvement by North Korea–linked Moonstone Sleet without firm state attribution.
- Attackers pivoted through a single upstream managed service provider to reach multiple targets, with local reporting identifying the compromised vendor as GJTec.
- The operation, branded “Korean Leaks,” published data in three waves from September 14 to October 4, affecting 28 victims and exposing over 1 million files totaling roughly 2 TB.
- Early leak notices framed the releases as exposing corruption and financial-market risk before shifting back to standard extortion language, and several victim posts were later removed from the leak site.
- Qilin’s activity has surged in 2025, with more than 180 claimed victims in October and about 29% of recent ransomware incidents, prompting calls for MFA, least‑privilege controls, network segmentation and attack‑surface reduction.