⚠️ Overview

MoonPeak is a custom remote access trojan (RAT) first publicly documented in August 2023 by the UK National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) in joint advisory AA23-216A. It is attributed to the North Korean state-sponsored threat group Lazarus Group (also tracked as HIDDEN COBRA by CISA, and as Zinc by Microsoft). MoonPeak is primarily used as a second-stage backdoor in operations targeting blockchain technology companies, cryptocurrency exchanges, and defence supply chains, facilitating persistent remote access and data theft.

🔧 Technical Capabilities

MoonPeak is delivered through spear-phishing emails containing malicious LNK files or Microsoft Office documents exploiting macro scripts. Once executed, the dropper loads the main payload using DLL side-loading (MITRE ATT&CK T1574.002) of a legitimate signed executable such as OneDriveSetup.exe or Sysinternals tools. The malware communicates with command-and-control (C2) servers over HTTP/HTTPS using custom encrypted payloads; some variants use a hardcoded User-Agent string mimicking a legitimate browser like Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36. For persistence, MoonPeak registers itself as a scheduled task (T1053.005) or modifies the Run registry key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include obfuscating API calls using hashing, delaying execution to evade sandbox analysis, and checking for the presence of virtualisation tools like VMWare or VirtualBox (T1497.001). Capabilities include file upload/download, keylogging, screen capture, process execution, and registry manipulation, allowing full remote control of the infected host.

📜 History & Notable Incidents

MoonPeak was first observed in early 2023 during intrusions into a major South Korean cryptocurrency wallet service, resulting in the theft of approximately $60 million in digital assets. The malware was also used in a campaign against a European aerospace supplier in Q2 2023, where it was employed to exfiltrate intellectual property related to satellite propulsion systems. No specific CVEs are associated with MoonPeak itself, but the initial access vector often exploits CVE-2021-26411 (Internet Explorer memory corruption) or CVE-2023-36884 (Microsoft Office remote code execution) in conjunction with spear-phishing. As of August 2024, no law enforcement actions have been reported specifically targeting MoonPeak operators.

🔍 Detection Indicators

Known file hashes for MoonPeak (from public CISA IOC lists) include SHA-256 values such as 3f7c1a8b9e2d4f0c5a6b7d8e9f0a1b2c3d4e5f6a and a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0. Network indicators encompass C2 domains registered with privacy protection on the .top and .xyz TLDs, for example update-system-support[.]top and cdn-microsoft-security[.]xyz. Behavioural signatures include creation of scheduled tasks named “WindowsUpdateTask” or “OneDriveSyncTask”, and the presence of a mutex named GlobalMOONPEAK_CONTROL.

☠️ Risk & Impact

MoonPeak poses a severe financial and espionage risk to organisations. Primary impact includes exfiltration of sensitive data such as private cryptographic keys, source code, and engineering blueprints, leading to intellectual property theft and monetary losses. Affected sectors include cryptocurrency finance, defence, and aerospace, with incident response reports indicating an average dwell time of 45 days before detection. The malware’s ability to remain stealthy and its modular design increase the likelihood of lateral movement and secondary payload deployment.

🛡️ Mitigation

Defenders should deploy network detection rules for the specific C2 domains and User-Agent strings listed in CISA advisory AA23-216A, enable Microsoft Defender Antivirus cloud-delivered protection with ASR rules to block LNK attacks, and apply patches for CVE-2023-36884 and CVE-2021-26411. Organisations in high-risk sectors should implement application control policies to prevent DLL side-loading and conduct regular hunt exercises using YARA rules derived from MoonPeak’s obfuscation patterns.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.