North Korea’s Chollima Threat Actors Evolve and Expand Targeting
Reporting highlighted multiple, unrelated threat developments rather than a single cohesive incident. One thread focused on North Korea-linked Chollima activity: a targeted spear-phishing operation attributed to Ricochet Chollima used Dropbox-hosted lures to deliver archives containing weaponized Windows shortcut (.LNK) files, with tradecraft designed to evade detection (including multi-stage execution and fileless, memory-resident behavior). Separately, a CrowdStrike-based report described a strategic reorganization of LABYRINTH CHOLLIMA into three operational groupings—GOLDEN CHOLLIMA (smaller, steady revenue theft), PRESSURE CHOLLIMA (high-payout crypto heists), and a core espionage unit—while retaining shared malware “DNA” via frameworks such as KorDLL and Hawup, indicating continued coordination across DPRK cyber operations.
Other items covered distinct, non-DPRK activity and should not be conflated with the Chollima reporting. One article described infostealer campaigns expanding to macOS, including Python-based cross-platform stealers and macOS families such as Atomic macOS Stealer (AMOS), using malvertising, fake installers/DMGs, and trusted platforms to harvest credentials, cookies, keychain data, crypto wallets, and developer secrets. Another described a fake Dropbox phishing campaign using PDF-based staging (including obfuscation techniques like FlateDecode and AcroForm objects) hosted on legitimate infrastructure (e.g., Vercel Blob storage) to redirect victims to a counterfeit login page and exfiltrate credentials via Telegram—a separate credential-harvesting operation not tied to the Chollima APT reporting.
Related Entities
Threat Actors
Malware
Organizations
Sources
Related Stories
CrowdStrike Reports DPRK Labyrinth Chollima Split into Golden and Pressure Chollima Crypto-Theft Units
CrowdStrike reported that the long-running DPRK-linked activity it tracks as **Labyrinth Chollima** has diverged into three distinct operations, with two offshoots—**Golden Chollima** and **Pressure Chollima**—focused on cryptocurrency theft while the remaining Labyrinth Chollima activity concentrates on espionage. The split reflects increasing specialization: Labyrinth Chollima is described as targeting sectors including manufacturing, logistics, defense, and aerospace, while the crypto-focused units are assessed as generating revenue that supports the North Korean regime and, in part, its cyber operations. CrowdStrike tied **Golden Chollima** to sustained, lower-value theft operations against cryptocurrency/fintech targets and described a tooling lineage that includes **Jeus** (and macOS **AppleJeus**) and overlaps with components such as *PipeDown*, *DevobRAT*, *HTTPHelper*, and *Anycon*, alongside more recent cloud-focused tradecraft (e.g., recruitment-fraud delivery of malicious Python packages leading to cloud IAM/resource access and crypto diversion). **Pressure Chollima** was characterized as pursuing high-payout opportunities globally and was linked in public reporting to record-setting cryptocurrency thefts (including a cited **$1.46B** heist), with CrowdStrike assessing it as among the DPRK’s more technically advanced crypto-theft operators; despite specialization, the groups reportedly retain shared lineage (including ties to the broader *Lazarus Group* construct) and exhibit some shared tools/infrastructure suggesting centralized coordination.
1 months ago
North Korea-Linked Threat Activity and Reporting on Lazarus, IT Worker Schemes, and Related Malware
Multiple reports and threat-intel posts highlighted **North Korea-linked cyber activity** spanning social engineering, malware, and broader ecosystem analysis. AllSecure described an attempted compromise of a CEO via a **fake LinkedIn job interview** attributed to **Lazarus** tradecraft (tagged *BeaverTail* / *Contagious Interview*), indicating continued use of recruiter-style lures and developer tooling themes (e.g., *VSCode*) to gain execution on target systems. Separately, eSentire published technical analysis on the **DEV#POPPER remote access trojan** and associated **OmniStealer** activity, framing it as DPRK-linked malware and providing defensive guidance for organizations facing this threat class. Additional DPRK-focused intelligence covered both strategic and operational dimensions. Google’s *Cloud Threat Horizons Report H1 2026* discussed cloud-focused threat activity and tracked DPRK-linked clusters (including **UNC4899** and **UNC5267**), while Logpresso published an OSINT report on **DPRK remote IT worker** infiltration tactics (fraudulent employment/contractor placement). NKInternet released a catalog-style overview of **North Korea’s software export ecosystem**, and RedAsgard’s “Hunting Lazarus” series contributed hands-on investigative detail into Lazarus operator artifacts. A separate Lazarus threat-actor profile page aggregated historical reporting and statistics, but did not add a discrete new incident beyond compilation.
5 days ago
North Korean Threat Actors Use AI-Enabled IT Worker Scams and Target Crypto Firms
Microsoft-linked reporting says **North Korean threat actors** are using **AI** to scale and refine long-running “fake IT worker” schemes, where operatives pose as legitimate remote hires to obtain *authorized* access inside victim organizations. The activity is attributed to DPRK-linked clusters **Jasper Sleet** and **Coral Sleet**, with AI used to improve identity fabrication and maintenance (including face/voice manipulation) and to sustain day-to-day communications that help keep fraudulent personas credible, enabling “sustained, large-scale misuse of legitimate access.” Separately, reporting on suspected DPRK-linked intrusions describes a coordinated campaign against **cryptocurrency organizations** spanning staking platforms, exchange software providers, and exchanges, with theft of **source code, private keys, and cloud secrets**. Investigators described two primary access paths: exploitation of `CVE-2025-55182` in the *React2Shell* framework (including mass scanning and WAF-bypass techniques) and the use of **pre-obtained valid AWS access tokens** to move directly into cloud enumeration; researchers also recovered artifacts from attacker infrastructure (e.g., shell history, archived code, and tool configurations) that provided visibility into post-compromise activity and C2 setup.
1 weeks ago