MalwareUsed by 1 actor

Swdownloader

SwDownloader is a malware implant associated with DPRK-linked activity, specifically assessed as an early malware used by PRESSURE CHOLLIMA during its divergence from LABYRINTH CHOLLIMA. The provided content states that this divergence likely began in early 2019, including an experimental SwDownloader deployment in February 2019. SwDownloader is described as having been quickly succeeded by SparkDownloader, which is also tracked publicly as TraderTraitor. Based on the content, SwDownloader is tied to the PRESSURE CHOLLIMA cluster, a North Korea-linked threat actor focused on high-impact cryptocurrency thefts against organizations with significant digital asset holdings and operating without geographic constraints. No additional high-confidence technical details, infection vector specifics, platform details, or indicators of compromise are directly provided for SwDownloader itself in the supplied content.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Pressure Chollima

Divergence from Labyrinth Chollima likely began in early 2019 with Swdownloader, succeeded by Sparkdownloader (akaTradertraitor).

via polyswarmblog.polyswarm.io

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

crowdstrike blogNews

Jan 29, 2026

LABYRINTH CHOLLIMA Evolves into Three Adversaries | CrowdStrike

Experimental downloader/loader used early in PRESSURE CHOLLIMA operations before being replaced by SparkDownloader.

polyswarmNews

Feb 6, 2026

Labyrinth Chollima Expands Activity, Spawns Offshoots

A downloader/loader used by Pressure Chollima, described as an early divergence point in 2019 and predecessor to Sparkdownloader.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.