Security researchers reported a coordinated supply-chain attack that led to the deployment of Qilin ransomware against multiple firms in South Korea’s financial sector, with the Romanian firm Bitdefender providing an analysis of the campaign and its impact.
Qilin has been identified as one of the most active ransomware operations in 2025, claiming rapid growth in October and an expanded victim count that other trackers placed in the hundreds; one report noted the group was claiming more than 180 victims while another placed the October surge over that level, and data from the NCC Group attributed about 29% of observed ransomware incidents to the group.
Bitdefender said it investigated after detecting an unusual spike in ransomware victims from South Korea in September 2025 and found 25 cases that month attributed to Qilin, 24 of them in the financial sector; attackers labelled the operation “Korean Leaks.”
Researchers noted potential ties between Qilin affiliates and a North Korean actor known as Moonstone Sleet; Microsoft has previously attributed a custom ransomware variant called FakePenny to that actor in a separate incident. The group operates a Ransomware-as-a-Service model that enlists affiliates to carry out attacks in exchange for a share of payments.
The campaign unfolded in three publication waves that, according to the analysis, resulted in the theft of more than 1 million files and roughly 2 TB of data from 28 victims, with posts for four other entities later removed from the attackers’ data leak site. Messaging across the waves mixed political and propagandistic claims about alleged corruption with more conventional financially motivated extortion language.
Investigators said the immediate access vector was the compromise of a single managed service provider, which allowed the actor to reach multiple asset-management clients; a local news outlet reported that more than 20 management companies were affected after the compromise of GJTec. Analysts urged organizations to enforce multi-factor authentication, apply least-privilege access controls, segment critical systems and reduce attack surfaces, and noted that exploiting vendors and MSPs is an efficient route for clustered ransomware operations.