Qilin Ransomware 'Korean Leaks' Campaign Compromises 28 South Korean Victims

Qilin Ransomware ‘Korean Leaks’ Data Heist

The Qilin ransomware group orchestrated a supply chain attack targeting South Korean organizations, culminating in the “Korean Leaks” data heist, which impacted 28 victims and exfiltrated 2TB of data. This operation leveraged a compromised Managed Service Provider (MSP) as the initial access vector, demonstrating a shift toward targeting clustered victims through vendor exploitation.

Why This Matters

Traditional security models often focus on perimeter defense, but increasingly sophisticated attacks like this exploit trusted relationships with third-party vendors. MSP compromises represent a high-impact failure point, as a single breach can cascade into widespread damage, costing organizations significant financial losses and reputational harm – the 2TB exfiltration in this case represents a substantial data breach.

Key Insights

• Qilin ransomware growth: The Qilin RaaS crew saw “explosive growth” in October 2025, claiming over 180 victims.
• MSP as attack vector: Exploiting MSPs allows attackers to access multiple downstream targets simultaneously.
• Moonstone Sleet affiliate: North Korean state-sponsored actor Moonstone Sleet has been linked to Qilin ransomware deployment.

Practical Applications

• Use Case: Financial institutions in South Korea were heavily targeted in this campaign, highlighting the sector’s vulnerability to supply chain attacks.
• Pitfall: Relying solely on perimeter security without robust vendor risk management can leave organizations exposed to attacks originating through trusted third parties.

References:

• https://thehackernews.com/2025/11/qilin-ransomware-turns-south-korean-msp.html