The Pale Deceiver: Moonstone Sleet

Threat Intelligence Tarot

Vol. II · 95

North Korea (RGB)

★★★★★

risk 3/5

✦ The Pale Deceiver ✦

Moonstone Sleet

Storm-1789

DefenseAerospaceEducationIT sectorCryptocurrency

Active since ~2023 · Revenue generation, Espionage, Defense IP theft

The Pale Deceiver builds entire companies to approach its targets, staffing them with ghosts and directing them toward aerospace and defense. Its most innovative weapon is not malware but identity, worn like a suit.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1566.001

Spearphishing Attachment

Initial Access

T1204.002

Malicious File

Execution

T1059.001

PowerShell

Execution

T1553.002

Code Signing

Defense Evasion

T1486

Data Encrypted for Impact

Impact

T1036

Masquerading

Defense Evasion

T1105

Ingress Tool Transfer

Command and Control

Notable Operations

◆FakePenny ransomware deployment against defense and aerospace targets
◆Fake IT companies (StarC, DeTankZone) used as cover for social engineering
◆Trojanized PuTTY and tank game used as malware delivery vehicles
◆IT worker infiltration scheme placing North Koreans at Western tech firms

Defenses

▸
Enhanced background verification for all remote IT contractors
NIST CSF: PR.AT ↗
▸
Code signing certificate validation and revocation monitoring
CIS Control 10 ↗
▸
Allowlisting of approved software preventing unsigned executable execution
CIS Control 10 ↗
▸
Insider threat program monitoring unusual data access patterns
NIST CSF: DE.CM ↗

Reversed: Their Weakness

Background screening processes and identity verification for remote contractors expose the hollow companies behind its infiltration scheme. Code signing certificate validation removes its masquerading cover.

Share this adversary profile

Compare →

← → arrow keys to browse

swipe to browse

← PreviousThe Jade Thief Next →The Gate Merchant

Related Adversaries

Data sourced from MITRE ATT&CK. For educational purposes.