CrowdStrike Reports DPRK Labyrinth Chollima Split into Golden and Pressure Chollima Crypto-Theft Units
CrowdStrike reported that the long-running DPRK-linked activity it tracks as Labyrinth Chollima has diverged into three distinct operations, with two offshoots—Golden Chollima and Pressure Chollima—focused on cryptocurrency theft while the remaining Labyrinth Chollima activity concentrates on espionage. The split reflects increasing specialization: Labyrinth Chollima is described as targeting sectors including manufacturing, logistics, defense, and aerospace, while the crypto-focused units are assessed as generating revenue that supports the North Korean regime and, in part, its cyber operations.
CrowdStrike tied Golden Chollima to sustained, lower-value theft operations against cryptocurrency/fintech targets and described a tooling lineage that includes Jeus (and macOS AppleJeus) and overlaps with components such as PipeDown, DevobRAT, HTTPHelper, and Anycon, alongside more recent cloud-focused tradecraft (e.g., recruitment-fraud delivery of malicious Python packages leading to cloud IAM/resource access and crypto diversion). Pressure Chollima was characterized as pursuing high-payout opportunities globally and was linked in public reporting to record-setting cryptocurrency thefts (including a cited $1.46B heist), with CrowdStrike assessing it as among the DPRK’s more technically advanced crypto-theft operators; despite specialization, the groups reportedly retain shared lineage (including ties to the broader Lazarus Group construct) and exhibit some shared tools/infrastructure suggesting centralized coordination.
Sources
Related Stories
North Korea’s Chollima Threat Actors Evolve and Expand Targeting
Reporting highlighted multiple, **unrelated** threat developments rather than a single cohesive incident. One thread focused on North Korea-linked **Chollima** activity: a targeted spear-phishing operation attributed to **Ricochet Chollima** used Dropbox-hosted lures to deliver archives containing weaponized Windows shortcut (`.LNK`) files, with tradecraft designed to evade detection (including multi-stage execution and fileless, memory-resident behavior). Separately, a CrowdStrike-based report described a strategic reorganization of **LABYRINTH CHOLLIMA** into three operational groupings—**GOLDEN CHOLLIMA** (smaller, steady revenue theft), **PRESSURE CHOLLIMA** (high-payout crypto heists), and a core **espionage** unit—while retaining shared malware “DNA” via frameworks such as **KorDLL** and **Hawup**, indicating continued coordination across DPRK cyber operations. Other items covered distinct, non-DPRK activity and should not be conflated with the Chollima reporting. One article described **infostealer campaigns expanding to macOS**, including Python-based cross-platform stealers and macOS families such as **Atomic macOS Stealer (AMOS)**, using malvertising, fake installers/DMGs, and trusted platforms to harvest credentials, cookies, keychain data, crypto wallets, and developer secrets. Another described a **fake Dropbox phishing** campaign using PDF-based staging (including obfuscation techniques like `FlateDecode` and `AcroForm` objects) hosted on legitimate infrastructure (e.g., Vercel Blob storage) to redirect victims to a counterfeit login page and exfiltrate credentials via **Telegram**—a separate credential-harvesting operation not tied to the Chollima APT reporting.
1 months agoNorth Korean State-Backed Crypto Theft and Infrastructure Operations
North Korean state-sponsored threat actors, including the Lazarus Group and Kimsuky, have been responsible for a dramatic surge in global cryptocurrency theft in 2025, stealing at least $2.02 billion—over half of the total $3.4 billion stolen worldwide. The February compromise of the Bybit cryptocurrency exchange accounted for $1.5 billion of these losses, with the attack attributed to the TraderTraitor cluster, and further links established through malware infrastructure analysis. Lazarus Group, affiliated with North Korea's Reconnaissance General Bureau, has also been implicated in the theft of $36 million from Upbit and is estimated to have stolen over $6.75 billion cumulatively through a series of high-profile heists and campaigns. Recent collaborative research by Hunt.io and the Acronis Threat Research Unit has uncovered new operational infrastructure used by both Lazarus and Kimsuky across global campaigns. The investigation revealed active tool-staging servers, credential theft environments, and tunneling nodes, highlighting the interconnected nature of DPRK cyber operations. Despite evolving malware and tactics, these groups consistently reuse infrastructure, making their activities traceable across campaigns. The findings provide defenders with actionable intelligence on the infrastructure patterns and operational habits of North Korean threat actors, supporting efforts to detect and disrupt ongoing and future attacks.
2 months ago
North Korea-Linked Threat Activity and Reporting on Lazarus, IT Worker Schemes, and Related Malware
Multiple reports and threat-intel posts highlighted **North Korea-linked cyber activity** spanning social engineering, malware, and broader ecosystem analysis. AllSecure described an attempted compromise of a CEO via a **fake LinkedIn job interview** attributed to **Lazarus** tradecraft (tagged *BeaverTail* / *Contagious Interview*), indicating continued use of recruiter-style lures and developer tooling themes (e.g., *VSCode*) to gain execution on target systems. Separately, eSentire published technical analysis on the **DEV#POPPER remote access trojan** and associated **OmniStealer** activity, framing it as DPRK-linked malware and providing defensive guidance for organizations facing this threat class. Additional DPRK-focused intelligence covered both strategic and operational dimensions. Google’s *Cloud Threat Horizons Report H1 2026* discussed cloud-focused threat activity and tracked DPRK-linked clusters (including **UNC4899** and **UNC5267**), while Logpresso published an OSINT report on **DPRK remote IT worker** infiltration tactics (fraudulent employment/contractor placement). NKInternet released a catalog-style overview of **North Korea’s software export ecosystem**, and RedAsgard’s “Hunting Lazarus” series contributed hands-on investigative detail into Lazarus operator artifacts. A separate Lazarus threat-actor profile page aggregated historical reporting and statistics, but did not add a discrete new incident beyond compilation.
5 days ago