FakePenny
FakePenny is a custom ransomware family attributed by Microsoft to the North Korea-aligned threat actor Moonstone Sleet, formerly tracked as Storm-1789. Microsoft observed it deployed in April 2024 against an unnamed defense technology company that had previously been compromised, with a reported ransom demand of $6.6 million in Bitcoin. The malware includes a loader and an encryptor component. Reporting describes Moonstone Sleet as pursuing both financial gain and cyberespionage, and FakePenny has been characterized in that context as part of Moonstone Sleet activity against defense and aerospace-related organizations. Targeted sectors associated with the broader Moonstone Sleet campaigns include software/IT, education, and the defense industrial base, with specific reporting noting defense technology, drone technology, aircraft parts, and aerospace/defense organizations.
The broader intrusion activity associated with FakePenny relied heavily on social engineering and staged malware delivery. Microsoft reported Moonstone Sleet using fake companies and job opportunities, trojanized legitimate tools such as a modified PuTTY distributed in ZIP archives via LinkedIn, Telegram, and developer freelancing platforms, malicious npm packages delivered as technical skills assessments, and a malicious tank game called DeTankWar. These delivery chains were used to deploy custom loaders including SplitLoader and YouieLoad, support in-memory payload execution, conduct network and user discovery, collect browser data, and steal credentials including from LSASS before follow-on hands-on-keyboard activity and ransomware deployment. Microsoft also reported code and tradecraft overlap with Lazarus-linked tooling, including reuse of Comebacker code.
High-confidence indicators and contextual details directly mentioned in the reporting include the April 2024 deployment timeframe, the $6.6 million Bitcoin ransom demand, and that FakePenny’s ransom note closely overlaps with a note associated with Seashell Blizzard’s NotPetya. Public reporting also states Moonstone Sleet previously dropped FakePenny before later being linked to use of Qilin ransomware, and multiple summaries describe FakePenny as part of North Korean ransomware activity blending espionage and financially motivated operations.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
“…Moonstone Sleet using FakePenny ransomware for cyberespionage…” | ...Moonstone Sleet using FakePenny ransomware for cyberespionage...
Last year, Bitdefender revealed that another North Korean threat actor tracked as Moonstone Sleet, which previously dropped a custom ransomware family called FakePenny, had likely targeted several South Korean financial firms with Qilin ransomware.
In April 2024, Microsoft observed Moonstone Sleet delivering a new custom ransomware variant we have named FakePenny ... FakePenny includes a loader and an encryptor.
In April 2024, Microsoft observed Moonstone Sleet delivering a new custom ransomware variant we have named FakePenny ... FakePenny includes a loader and an encryptor.
In April 2024, Microsoft observed Moonstone Sleet delivering a new custom ransomware variant we have named FakePenny ... FakePenny includes a loader and an encryptor.
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique"Moonstone Sleet typically approaches its targets through messaging platforms or by email... with a link to download the game included in the body of the message."
Impact
1 technique“Operation Cronos… disrupted… LockBit ransomware group…”; “Akira and Black Basta exploited… driving widespread ransomware deployments.”; “Cl0p exploited vulnerabilities… attacking more than 60 organizations…” | "...the most prevalent variety of malware in this industry is Ransomware..." and "...Ransomware accounting for 51% of breaches..."
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A custom ransomware family previously deployed by the North Korean threat actor Moonstone Sleet.
FakePenny is a custom ransomware variant deployed by the North Korean threat actor Moonstone Sleet, used in targeted attacks against defense technology companies.
FakePenny is a ransomware variant attributed to North Korean threat actors, specifically designed to target aerospace and defense organizations.
Newly emerging ransomware family attributed in the article to Moonstone Sleet.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.