Recent analysis shows the campaign was not only a sophisticated supply chain attack, but also a hacktivist geopolitical show of force.
From late August through early October 2025, the double-extortion ransomware campaign against South Korea’s financial sector had unfolded.
Attackers had exploited a supply chain compromise targeting a domestic Managed Service Provider (MSP), identified as GJTec, which held privileged remote access to servers of over 20 asset management firms.
Threat analyses have identified Qilin, a prominent Ransomware-as-a-Service (RaaS) group with likely Russian origins, as the mastermind of the public-facing extortion. However, there is more than meets the eye, according to one cybersecurity firm.
Campaign phases
The operation launched with a pre-cursor post on 20 August against a construction firm, featuring overt North Korean rhetoric referencing “Comrade Kim Jong-un”. The main campaign of data leaks was then rolled out in three waves:
- Wave 1 (Sept 14): 10 financial victims released simultaneously, framed as exposing “stock market manipulation” and “fraudster networks”, urging Korean enforcement and journalists to investigate
- Wave 2 (Sept 17–19): Nine victims with escalated threats of a national stock market crash, citing South Korea’s strict data laws to pressure regulators
- Wave 3 (Sept 28–Oct 4): Nine victims shifting to standard per-company extortion; four posts unusually removed, suggesting paid ransoms or policy shifts
Proof-of-breach photos numbered nearly 300 across leaks, though most lacked size metrics.
Operating like a gig economy platform, Qilin’s core team supplies malware, branding, and infrastructure — taking 15–20% cuts — while anonymous affiliates perform the hacking for the bulk of profits. A key affiliate here was Moonstone Sleet, a North Korean state-linked group previously noted for espionage. Their involvement, starting early 2025 experiments with Qilin, fused cybercrime profitability with geopolitical disruption, targeting South Korea amid heightened tensions.
This single point of failure had enabled rapid, scalable intrusions, resulting in ransomware deployment across at least 28 organizations, primarily in financial services. Exfiltrators stole over 1m files and 2TB of sensitive data, including client records and market documents, published on Qilin’s Dedicated Leak Site as double-extortion leverage.
Analysis and implications
Analysis and implications
Analysts from Bitdefender have since released their research into the campaign for links to North Korea as well as Russia:
- Campaign attack messaging had deviated from typical RaaS norms, blending financial demands with national propaganda — attacking South Korea’s economy writ large rather than isolated firms.
- Language patterns, including grammatical signatures, indicated Qilin operators had edited affiliate content for brand consistency.
- The MSP vector underscores prevalent supply chain risks, outpacing rarer software exploits.
The conclusion from the analysis highlights the critical risk posed by supply chain attacks through compromised MSPs, and emphasizes the necessity of layered, proactive cybersecurity defenses — as well as vigilance of system misconfigurations and underutilization of defensive measures — to effectively detect, contain, and prevent such large-scale breaches.
