LABYRINTH CHOLLIMA Evolves into Three Adversaries

• LABYRINTH CHOLLIMA has evolved into three distinct adversaries with specialized malware, objectives, and tradecraft: GOLDEN CHOLLIMA and PRESSURE CHOLLIMA now likely operate separately from the core LABYRINTH CHOLLIMA group.

• GOLDEN CHOLLIMA and PRESSURE CHOLLIMA target cryptocurrency entities and are distinguished by the scale and scope of their operations; core LABYRINTH CHOLLIMA operations continue to focus on espionage, targeting industrial, logistics, and defense companies.

• Despite operating independently, these three adversaries share tools and infrastructure, indicating centralized coordination and resource allocation within the DPRK cyber ecosystem.

LABYRINTH CHOLLIMA is among the most prolific DPRK-nexus adversaries that CrowdStrike Intelligence tracks and is responsible for some of North Korea’s most notable intrusions including destructive attacks against South Korean and U.S. entities, and the global WannaCry ransomware incident. 

CrowdStrike Intelligence assesses that three distinct, highly specialized operational subgroups have emerged since 2018, each with specialized malware, objectives, and tradecraft. This assessment reflects a comprehensive re-evaluation of historical data and a deliberate challenge to our previous LABYRINTH CHOLLIMA attribution framework. We now track these subgroups as GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and the core LABYRINTH CHOLLIMA group. Effective intelligence demands we constantly reassess established assumptions, relentlessly pursuing an objective, actionable depiction of the threat landscape. 

LABYRINTH CHOLLIMA’s History and Evolution

LABYRINTH CHOLLIMA activity originates from the KorDLL malware framework (active 2009-2015), a source code repository containing implant templates, command-and-control (C2) protocols, libraries for common tasks, and code for various obfuscation techniques. This framework spawned several epoch-defining malware families, including Dozer, Brambul, Joanap, KorDLL Bot, and Koredos, and would evolve into the Hawup and TwoPence frameworks used by LABYRINTH CHOLLIMA and STARDUST CHOLLIMA, respectively.

GOLDEN CHOLLIMA

GOLDEN CHOLLIMA targets economically developed regions with significant cryptocurrency and fintech presence, including the U.S., Canada, South Korea, India, and Western Europe. The adversary typically conducts smaller-value thefts at a more consistent operational tempo, suggesting responsibility for ensuring baseline revenue generation for the DPRK regime. 

The adversary’s malware originates with Jeus in 2018 (and its macOS variant, AppleJeus), which originally masqueraded as a cryptocurrency application purportedly developed by the fictitious company Celas Limited. CrowdStrike Intelligence has observed eight different Jeus and AppleJeus variants in campaigns targeting cryptocurrency entities as well as shellcode overlaps between PipeDown, DevobRAT, HTTPHelper, and Anycon — forming a specialized fintech targeting toolkit.

GOLDEN CHOLLIMA’s recent operations demonstrate cloud-focused tradecraft. In late 2024, the adversary delivered malicious Python packages via recruitment fraud to a European fintech company. They pivoted to the victim’s cloud environment to access IAM configurations and associated cloud resources, and ultimately managed to divert the victim’s cryptocurrency to adversary-controlled wallets. 

CrowdStrike Intelligence has also observed GOLDEN CHOLLIMA leveraging Chromium zero-days to deliver malware, and CrowdStrike OverWatch threat hunting detected several deployments of SnakeBaker and its JS variant NodalBaker at fintech firms throughout June 2025.

PRESSURE CHOLLIMA

PRESSURE CHOLLIMA conducted the DPRK’s highest-profile cryptocurrency heists, including the two largest cryptocurrency thefts on record. Public reporting links additional high-value thefts ranging from $52 million USD to $120 million USD to PRESSURE CHOLLIMA based on reused cryptocurrency wallets.²

Unlike GOLDEN CHOLLIMA’s consistent operations, PRESSURE CHOLLIMA pursues high-payout opportunities regardless of geography, focusing on organizations with significant digital asset holdings. PRESSURE CHOLLIMA deploys sophisticated, low-prevalence implants and has evolved into one of the DPRK’s most technically advanced adversaries.

PRESSURE CHOLLIMA operations likely diverged from LABYRINTH CHOLLIMA in February 2019 with experimental SwDownloader deployment, quickly replaced by SparkDownloader (tracked publicly as TraderTraitor). Recent campaigns leverage malicious Node.js and Python projects to deliver Scuzzyfuss and TwoPence Electric malware. 

LABYRINTH CHOLLIMA Moving Forward

CrowdStrike Intelligence now tracks LABYRINTH CHOLLIMA more narrowly as espionage operations using malware with a Hoplight lineage. Modern LABYRINTH CHOLLIMA operations emerged in 2020, coinciding with GOLDEN and PRESSURE CHOLLIMA’s divergence, likely indicating that blockchain malware experts and intelligence collection specialists moved into separate units.

The 2022 emergence of FudModule represents a significant development for LABYRINTH CHOLLIMA’s malware capabilities. FudModule employs direct kernel manipulation for stealth and has leveraged zero-day exploits in vulnerable drivers, Chrome, and Windows. GOLDEN CHOLLIMA has also reportedly used FudModule, indicating shared tool access despite operational separation.³

LABYRINTH CHOLLIMA operations prioritize targets in the manufacturing and defense sectors, particularly European defense entities and U.S., Japanese, and Italian manufacturing organizations. Throughout 2024 and into 2025, LABYRINTH CHOLLIMA persistently targeted European aerospace corporations using employment-themed lures and exploited zero-day vulnerabilities against defense manufacturers. In the first half of 2025, CrowdStrike Intelligence also observed a growing interest by LABYRINTH CHOLLIMA in logistics and shipping companies. The adversary has also targeted U.S.-based manufacturing companies, including critical infrastructure entities in specialized areas such as hydroelectric power. 

LABYRINTH CHOLLIMA’s 2025 operations have demonstrated diverse delivery mechanisms. WhatsApp messaging — which the adversary has used to deliver malicious ZIP files containing trojanized applications — has emerged as a primary initial compromise vector. Likely due to the method’s high success rate, the adversary has used employment-themed social engineering in multiple campaigns, tailoring lures to target specific industries and roles.

Outlook

CrowdStrike Intelligence assesses these three groups very likely operate as distinct organizational units within the DPRK cyber apparatus. This assessment is made with high confidence and supported by specialized malware development, distinct targeting patterns, and differences in operational tempo. 

Shared infrastructure elements and tool cross-pollination indicate these units maintain close coordination. All three adversaries employ remarkably similar tradecraft — including supply chain compromises, HR-themed social engineering campaigns, trojanized legitimate software, and malicious Node.js and Python packages — that reflects their common origins in the KorDLL and Hawup frameworks. 

LABYRINTH CHOLLIMA’s segmentation into specialized operational units represents a strategic evolution that enhances the DPRK regime’s ability to simultaneously pursue multiple objectives.

The financial motivation for GOLDEN CHOLLIMA and PRESSURE CHOLLIMA operations will likely intensify as international sanctions continue to cripple the DPRK's economy. Despite improving trade relations with Russia, the DPRK requires additional revenue to fund ambitious military plans that include constructing new destroyers, building nuclear-powered submarines, and launching additional reconnaissance satellites.⁴

These three adversaries remain fundamentally interconnected through shared tactical DNA and collaborative infrastructure. The cross-pollination of tools such as FudModule in GOLDEN CHOLLIMA and LABYRINTH CHOLLIMA operations, combined with malware families’ code similarities among these adversaries, demonstrates how these adversaries continue to operate as components of a unified strategic apparatus despite their distinct mission sets. 

Organizations in the cryptocurrency, fintech, defense, and logistics sectors should practice heightened vigilance for DPRK social engineering campaigns, particularly employment-themed lures and trojanized legitimate software delivered via messaging platforms.

Recommendations

These recommendations are designed to help protect against the activity described and are customized to address the specific tradecraft and objectives of GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and LABYRINTH CHOLLIMA.

Mitigate Social Engineering

• Implement strict validation for all incoming communication, especially for job-related or external inquiries. Train employees to be highly suspicious of unsolicited messages via platforms like WhatsApp and unexpected recruitment emails containing attachments or links to trojanized software.

• Enforce a security policy that prohibits the download and execution of software from untrusted sources, particularly third-party versions of legitimate software like SumatraPDF or TightVNC clients.

• Address supply chain and open-source abuse:

  • Scan and vet all third-party and open-source dependencies (e.g., malicious Node.js and Python packages) before deployment. Utilize tools that analyze package metadata, author reputation, and code for malicious or obfuscated functionality.

  • Implement software supply chain security practices to monitor for unauthorized changes in build and deployment environments.

Cloud and Identity Security

• Monitor CloudTrail and GuardDuty logs for suspicious activity related to the adversary’s common post-compromise actions, such as:

  • Unusual usage of the cloud environment command line interface.

  • Abnormal enumeration or modification of cloud-based identity and access management (IAM) users, roles, or policies.

  • Unexpected access patterns to cloud file storage, Kubernetes clusters, and cloud compute instances.

• Enforce the principle of least privilege across all cloud-based IAM users and service roles to limit the blast radius of a compromised credential.

• Implement multifactor authentication (MFA) for all cloud accounts, especially for root and administrative users.

General Recommendations

• Patch management:

  • Prioritize the patching of known remote code execution (RCE) and server-side request forgery (SSRF) vulnerabilities, particularly in public-facing applications and commonly targeted software like web browsers (e.g., Chromium).

  • Maintain all operating systems, hypervisors, drivers, and edge devices at a recent, supported software level to mitigate zero-day exploitation of kernel-level vulnerabilities (e.g., FudModule).

• Cryptocurrency defense:

  • For organizations dealing with digital assets, implement multi-signature wallet requirements and time-locked transfers to increase the difficulty and detection time for large-scale crypto thefts.

  • Isolate cryptocurrency management systems from the corporate network and apply the most stringent security controls to these environments.

IOCs

Exemplar samples of malware mentioned in this blog are provided below to enable community tracking of GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and LABYRINTH CHOLLIMA activity.

Sources

1. https://reports.dtexsystems.com/DTEX-Exposing+DPRK+Cyber+Syndicate+and+Hidden+IT+Workforce.pdf

2. https://www.halborn.com/blog/post/explained-the-bingx-hack-september-2024 || https://www.halborn.com/blog/post/explained-the-phemex-hack-january-2025

3. https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/

4. https://www.reuters.com/business/aerospace-defense/new-pier-completed-north-korea-rocket-launch-site-satellite-imagery-shows-2025-07-17/ || https://kcnawatch.org/newstream/1753150192-897597368/let-us-remain-true-to-our-partys-line-of-building-military-giant-by-building-mighty-new-type-warship-nampho-shipyard-vows-to-build-choe-hyon-class-destroyer-no-3-till-wpk-founding-anniversary-of-nex/