Security researchers have observed an alarming evolution among nation-state hackers backed by the Democratic People's Republic of Korea.
CrowdStrike shared its observations of the LABYRINTH CHOLLIMA – which itself operates under the wider umbrella of the Lazarus Group – hacking collective this week, noting that it had effectively split into three distinct entities, each with different tooling, tactics, and targets.
LABYRINTH CHOLLIMA has been responsible for some of North Korea’s most notable cyber-crime efforts, including the WannaCry ransomware campaign, the Sony Pictures hack, and numerous campaigns targeting entities in the United States and South Korea.
“CrowdStrike Intelligence assesses that three distinct, highly specialised operational sub-groups have emerged since 2018, each with specialised malware, objectives, and tradecraft. This assessment reflects a comprehensive re-evaluation of historical data and a deliberate challenge to our previous LABYRINTH CHOLLIMA attribution framework,” CrowdStrike said in a January 29 blog post.
“We now track these subgroups as GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and the core LABYRINTH CHOLLIMA group. Effective intelligence demands we constantly reassess established assumptions, relentlessly pursuing an objective, actionable depiction of the threat landscape.”
Know your enemy
LABYRINTH CHOLLIMA is largely focused on intelligence collection, according to CrowdStrike, while GOLDEN CHOLLIMA and PRESSURE CHOLLIMA focus instead on cryptocurrency theft.
LABYRINTH CHOLLIMA’s targets are commonly in the defence and logistics sectors, as well as military and government entities, and with a focus on the US, Europe, and South Korea.
GOLDEN CHOLLIMA, however, tends to target smaller fintech firms in the US, Canada, India, South Korea, and Western Europe, while PRESSURE CHOLLIMA goes after centralised crypto exchanges and technology companies in the US, Europe, East Asia, and India.
“GOLDEN CHOLLIMA’s recent operations demonstrate cloud-focused tradecraft. In late 2024, the adversary delivered malicious Python packages via recruitment fraud to a European fintech company,” CrowdStrike said.
“They pivoted to the victim’s cloud environment to access IAM configurations and associated cloud resources, and ultimately managed to divert the victim’s cryptocurrency to adversary-controlled wallets.”
PRESSURE CHOLLIMA, on the other hand, is focused on larger paydays via high-profile targets. The group “deploys sophisticated, low-prevalence implants and has evolved into one of the DPRK’s most technically advanced adversaries”.
CrowdStrike traces the divergence of three groups back to the period between 2018 and 2020, when experts in intelligence gathering and blockchain malware likely split into separate units.
The parent group, LABYRINTH CHOLLIMA, now focuses on initial access vectors such as malicious WhatsApp messages and employment-themed social engineering attacks, often targeting specific industries and roles.
“These three adversaries remain fundamentally interconnected through shared tactical DNA and collaborative infrastructure,” CrowdStrike said.
“The cross-pollination of tools such as FudModule in GOLDEN CHOLLIMA and LABYRINTH CHOLLIMA operations, combined with malware families’ code similarities among these adversaries, demonstrates how these adversaries continue to operate as components of a unified strategic apparatus despite their distinct mission sets.”
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.