LABYRINTH CHOLLIMA Evolves into Three Adversaries
The LABYRINTH CHOLLIMA North Korean threat group has fragmented into three distinct adversaries—GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and core LABYRINTH CHOLLIMA—each with specialized malware and objectives. GOLDEN and PRESSURE CHOLLIMA target cryptocurrency entities, while core LABYRINTH CHOLLIMA focuses on espionage against industrial, logistics, and defense sectors. All subgroups share tools and infrastructure derived from the KorDLL malware framework, indicating coordinated resource sharing. Their operations include advanced cloud-focused tradecraft and exploitation of zero-day vulnerabilities for malware delivery. This evolution increases the complexity and persistence of attacks, posing medium severity risks. European organizations in fintech, defense, logistics, and cryptocurrency sectors are particularly at risk. Mitigation requires targeted detection of KorDLL-related malware, enhanced monitoring of cloud environments, and proactive threat intelligence sharing. Countries with significant fintech and defense industries, such as Germany, France, and the UK, are most likely affected. The threat’s medium severity reflects its espionage and financial theft focus, use of zero-days, and moderate ease of exploitation without widespread known exploits in the wild.
AI Analysis
Technical Summary
LABYRINTH CHOLLIMA is a North Korean cyber threat group that has recently evolved into three separate but related adversaries: GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and the core LABYRINTH CHOLLIMA. This split reflects a strategic specialization where GOLDEN and PRESSURE CHOLLIMA primarily target cryptocurrency-related entities, aiming to steal digital assets, while the core group continues espionage campaigns against industrial, logistics, and defense sectors. All three subgroups share a common malware lineage based on the KorDLL malware framework, which has spawned multiple malware families such as Manuscrypt, Brambul, Hiberrat, and others. Their operations demonstrate sophisticated tradecraft, including the use of cloud infrastructure for command and control, and the exploitation of zero-day vulnerabilities to deliver malware payloads stealthily. The shared tools and infrastructure suggest coordinated resource allocation within North Korea’s cyber ecosystem, enhancing operational efficiency and persistence. The threat actors employ a wide range of tactics, techniques, and procedures (TTPs) mapped to MITRE ATT&CK techniques such as T1190 (exploitation of remote services), T1071 (command and control), T1059 (command execution), and T1566 (phishing), among others. Despite the absence of publicly known exploits in the wild, the use of zero-days and advanced malware families indicates a medium level of threat severity. This evolution complicates detection and response efforts due to the diversity of targets and malware capabilities, requiring defenders to adopt multi-faceted detection strategies and threat intelligence integration.
Potential Impact
For European organizations, the LABYRINTH CHOLLIMA evolution poses significant risks primarily in the fintech, cryptocurrency, industrial, logistics, and defense sectors. Cryptocurrency exchanges and fintech firms face direct financial theft risks from GOLDEN and PRESSURE CHOLLIMA subgroups, potentially resulting in substantial monetary losses and reputational damage. Industrial, logistics, and defense companies targeted by the core group risk espionage, intellectual property theft, and disruption of critical supply chains, which could undermine national security and economic stability. The use of zero-day vulnerabilities and cloud-based tradecraft increases the likelihood of successful breaches, even in well-defended environments. Given Europe's reliance on cloud infrastructure and the strategic importance of its defense and industrial sectors, these attacks could lead to data breaches, operational disruptions, and loss of sensitive information. The shared infrastructure among subgroups also means that a compromise in one sector could facilitate lateral movement or collateral damage in others. Overall, the threat could degrade trust in digital financial services and compromise critical infrastructure resilience across Europe.
Mitigation Recommendations
European organizations should implement targeted detection and response strategies focusing on the KorDLL malware framework and its variants. This includes deploying advanced endpoint detection and response (EDR) solutions capable of identifying behaviors associated with Manuscrypt, Brambul, Hiberrat, and related malware families. Enhanced monitoring of cloud environments is critical, with emphasis on detecting anomalous command and control traffic and unauthorized access attempts. Organizations should prioritize patching and vulnerability management, especially for zero-day vulnerabilities disclosed or exploited by these groups, and maintain active threat intelligence sharing with industry peers and government agencies to stay updated on emerging TTPs. Network segmentation and strict access controls can limit lateral movement if a breach occurs. Multi-factor authentication (MFA) and phishing-resistant authentication methods should be enforced to mitigate social engineering risks. Incident response plans must be updated to address the complexity of multi-vector attacks involving both financial theft and espionage. Finally, organizations in high-risk sectors should consider threat hunting exercises focused on indicators of compromise related to LABYRINTH CHOLLIMA’s toolset and infrastructure.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Sweden, Belgium, Poland, Spain
Indicators of Compromise
- hash: 0c75ecf9f4943de4269ccf98d7391303
- hash: 0f394734c65d44915060b36a0b1a972d
- hash: 18644822140eda7493bd75ba1e1f235d
- hash: 23e27e5482e3f55bf828dab885569033
- hash: 2462bab0fdd54fd2a2b8483297004e30
- hash: 2cf6a67e6043747d90e1bc0ce69a974a
- hash: 53d9af8829a9c7f6f177178885901c01
- hash: 5eac943e23429a77d9766078e760fc0b
- hash: 7fe80cee04003fed91c02e3a372f4b01
- hash: 9578c2be6437dcc8517e78a5de1fa975
- hash: 9c8b6a53cc3181c19865dc4d7433cbdf
- hash: a05b7f66351da5694fbed549a81cced8
- hash: a6a3aec659ab1a285fba3e93f4453160
- hash: aa96c24e08438db8e05eececf119a02e
- hash: 139b25e1ae32a8768238935a8c878bfbe2f89ef4
- hash: 2a900fbfdd65dafe6fadc4d5706e151c8b72230a
- hash: 426bc6bb3704441e5804d75ad020706f06b3db5d
- hash: 653dbc2416d439eca6e4a41c7d9b7e11aa1664b6
- hash: 69e5ca8f0adbf17195e38055c6fa83190f3b9616
- hash: 7fe373376e0357624a1d21cd803ce62aa86738b6
- hash: 8de3c94e8a86eb48787a25bffca889a4176f54f2
- hash: 97866866d1ffaf4ff6be26e14f5b54cd044d4811
- hash: 9876f8650d75938f8a2e4fb4df4321cc819d0f58
- hash: abeb2abdf0eb7bcab61605bae95618f394ba8835
- hash: ae9f4e39c576555faadee136c6c3b2d358ad90b9
- hash: b801643e2d817931e6aa36e6bf24d1c42e9b8fdc
- hash: bb9643b443541320142e4049bf2e14810f442626
- hash: d2a77c31c3e169bec655068e96cf4e7fc52e77b8
- hash: 0518a163b90e7246a349440164d02d10f31d514a7e5cce842b6cf5b3a0cc1bfa
- hash: 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461
- hash: 081804b491c70bfa63ecdbe9fd4618d3570706ad8b71dba13e234069648e5e48
- hash: 1579347265f948f9646931335d57e7960fe65dd429394be84b4ae15bca73dfde
- hash: 2110a6e89d98a626f846ec8deccbac057300d194933ae0cbf1ef4831a4cc829e
- hash: 2ef212f433b722b734d80b41a2364a41ca0453dbfe3e6ec8b951eca795075a02
- hash: 357c9daf6c4343286a9a85a27bc25defdc056877ce1be2943d2e8ede3bce022c
- hash: 453d8bd3e2069bc50703eb4c5d278aad02304d4dc5d804ad2ec00b2343feb7a4
- hash: 4fe3c853ab237005f7d62324535dd641e1e095d1615a416a9b39e042f136cf6b
- hash: 512877c98fd83cd51bb287da4462b44f9d276d7ce51890f4ded1b915a6d2d5e1
- hash: 56e51244e258c39293463c8cf02f5dddb085be90728fab147a60741cf014aa4d
- hash: 58f2972c6a8fc743543f7b8c4df085c5cf2c6e674e5601e85eec60cd269cfb3c
- hash: 666c50b8b772101b0e2e35ff1de52a278c2727027b54858e457571d296fec50b
- hash: 73edc54abb3d6b8df6bd1e4a77c373314cbe99a660c8c6eea770673063f55503
- hash: 7dee2bd4e317d12c9a2923d0531526822cfd37eabfd7aecc74258bb4f2d3a643
- hash: 9ba02f8a985ec1a99ab7b78fa678f26c0273d91ae7cbe45b814e6775ec477598
- hash: a61ecbe8a5372c85dcf5d077487f09d01e144128243793d2b97012440dcf106e
- hash: a795964bc2be442f142f5aea9886ddfd297ec898815541be37f18ffeae02d32f
- hash: b6995c31a7ee88392fc25fd6d1a3a7975b3cb4ec3a9a318c3fcfaaf89eb65ce1
- hash: b9f6a9d4f837f5b8a5dc9987a91ba44bc7ae7f39aa692b5b21dba460f935a0ae
- hash: cbd1634cf7c638f2faf5e3ec79137db6704ec9de8df798fc46aeeed38de3da9b
- hash: ceccb2339088fa2d6337082704bbf67f84eeb0d0b60ce5ab0ab7e1824002fa4c
- hash: d0cf9c1f87eac9b8879684a041dd6a2e1a0c15e185d4814a51adda19f9399a9b
- hash: d2359630e84f59984ac7ddebdece9313f0c05f4a1e7db90abadfd86047c12dd6
- hash: d2e743216d17e97c8d1913d376d46095b740015f26a3c62a05e286573721d26c
- hash: dced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156
- hash: e0aa5ef3af26681a8c8b46d95656580779d0ff3c2fe531b95a59ee918686e443
- hash: f749c7e84809ffc3939eaed06ad90e15b0e11375f98d7348c0aa1bf35d3f0b8e
- hash: f9586fdf4e0a65b17ee32bc3c3f493a055409abde373720d594d27fd24adffa0
- hash: fc885b323172106ab6f2f0cc77b609987384a38e3af41ad888d5389610d29daf
- hash: fde50c3a373ebc2661e08c99c1cb50dc34efc022a3880c317ab5b84108ef83aa
- hash: fe948451df90df80c8028b969bf89ecbf501401e7879805667c134080976ce2e
- hash: ff32bc1c756d560d8a9815db458f438d63b1dcb7e9930ef5b8639a55fa7762c9
LABYRINTH CHOLLIMA Evolves into Three Adversaries
Description
The LABYRINTH CHOLLIMA North Korean threat group has fragmented into three distinct adversaries—GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and core LABYRINTH CHOLLIMA—each with specialized malware and objectives. GOLDEN and PRESSURE CHOLLIMA target cryptocurrency entities, while core LABYRINTH CHOLLIMA focuses on espionage against industrial, logistics, and defense sectors. All subgroups share tools and infrastructure derived from the KorDLL malware framework, indicating coordinated resource sharing. Their operations include advanced cloud-focused tradecraft and exploitation of zero-day vulnerabilities for malware delivery. This evolution increases the complexity and persistence of attacks, posing medium severity risks. European organizations in fintech, defense, logistics, and cryptocurrency sectors are particularly at risk. Mitigation requires targeted detection of KorDLL-related malware, enhanced monitoring of cloud environments, and proactive threat intelligence sharing. Countries with significant fintech and defense industries, such as Germany, France, and the UK, are most likely affected. The threat’s medium severity reflects its espionage and financial theft focus, use of zero-days, and moderate ease of exploitation without widespread known exploits in the wild.
AI-Powered Analysis
Technical Analysis
LABYRINTH CHOLLIMA is a North Korean cyber threat group that has recently evolved into three separate but related adversaries: GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and the core LABYRINTH CHOLLIMA. This split reflects a strategic specialization where GOLDEN and PRESSURE CHOLLIMA primarily target cryptocurrency-related entities, aiming to steal digital assets, while the core group continues espionage campaigns against industrial, logistics, and defense sectors. All three subgroups share a common malware lineage based on the KorDLL malware framework, which has spawned multiple malware families such as Manuscrypt, Brambul, Hiberrat, and others. Their operations demonstrate sophisticated tradecraft, including the use of cloud infrastructure for command and control, and the exploitation of zero-day vulnerabilities to deliver malware payloads stealthily. The shared tools and infrastructure suggest coordinated resource allocation within North Korea’s cyber ecosystem, enhancing operational efficiency and persistence. The threat actors employ a wide range of tactics, techniques, and procedures (TTPs) mapped to MITRE ATT&CK techniques such as T1190 (exploitation of remote services), T1071 (command and control), T1059 (command execution), and T1566 (phishing), among others. Despite the absence of publicly known exploits in the wild, the use of zero-days and advanced malware families indicates a medium level of threat severity. This evolution complicates detection and response efforts due to the diversity of targets and malware capabilities, requiring defenders to adopt multi-faceted detection strategies and threat intelligence integration.
Potential Impact
For European organizations, the LABYRINTH CHOLLIMA evolution poses significant risks primarily in the fintech, cryptocurrency, industrial, logistics, and defense sectors. Cryptocurrency exchanges and fintech firms face direct financial theft risks from GOLDEN and PRESSURE CHOLLIMA subgroups, potentially resulting in substantial monetary losses and reputational damage. Industrial, logistics, and defense companies targeted by the core group risk espionage, intellectual property theft, and disruption of critical supply chains, which could undermine national security and economic stability. The use of zero-day vulnerabilities and cloud-based tradecraft increases the likelihood of successful breaches, even in well-defended environments. Given Europe's reliance on cloud infrastructure and the strategic importance of its defense and industrial sectors, these attacks could lead to data breaches, operational disruptions, and loss of sensitive information. The shared infrastructure among subgroups also means that a compromise in one sector could facilitate lateral movement or collateral damage in others. Overall, the threat could degrade trust in digital financial services and compromise critical infrastructure resilience across Europe.
Mitigation Recommendations
European organizations should implement targeted detection and response strategies focusing on the KorDLL malware framework and its variants. This includes deploying advanced endpoint detection and response (EDR) solutions capable of identifying behaviors associated with Manuscrypt, Brambul, Hiberrat, and related malware families. Enhanced monitoring of cloud environments is critical, with emphasis on detecting anomalous command and control traffic and unauthorized access attempts. Organizations should prioritize patching and vulnerability management, especially for zero-day vulnerabilities disclosed or exploited by these groups, and maintain active threat intelligence sharing with industry peers and government agencies to stay updated on emerging TTPs. Network segmentation and strict access controls can limit lateral movement if a breach occurs. Multi-factor authentication (MFA) and phishing-resistant authentication methods should be enforced to mitigate social engineering risks. Incident response plans must be updated to address the complexity of multi-vector attacks involving both financial theft and espionage. Finally, organizations in high-risk sectors should consider threat hunting exercises focused on indicators of compromise related to LABYRINTH CHOLLIMA’s toolset and infrastructure.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.crowdstrike.com/en-us/blog/labyrinth-chollima-evolves-into-three-adversaries/"]
- Adversary
- LABYRINTH CHOLLIMA
- Pulse Id
- 697c706415974488f8933c8c
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash0c75ecf9f4943de4269ccf98d7391303 | — | |
hash0f394734c65d44915060b36a0b1a972d | — | |
hash18644822140eda7493bd75ba1e1f235d | — | |
hash23e27e5482e3f55bf828dab885569033 | — | |
hash2462bab0fdd54fd2a2b8483297004e30 | — | |
hash2cf6a67e6043747d90e1bc0ce69a974a | — | |
hash53d9af8829a9c7f6f177178885901c01 | — | |
hash5eac943e23429a77d9766078e760fc0b | — | |
hash7fe80cee04003fed91c02e3a372f4b01 | — | |
hash9578c2be6437dcc8517e78a5de1fa975 | — | |
hash9c8b6a53cc3181c19865dc4d7433cbdf | — | |
hasha05b7f66351da5694fbed549a81cced8 | — | |
hasha6a3aec659ab1a285fba3e93f4453160 | — | |
hashaa96c24e08438db8e05eececf119a02e | — | |
hash139b25e1ae32a8768238935a8c878bfbe2f89ef4 | — | |
hash2a900fbfdd65dafe6fadc4d5706e151c8b72230a | — | |
hash426bc6bb3704441e5804d75ad020706f06b3db5d | — | |
hash653dbc2416d439eca6e4a41c7d9b7e11aa1664b6 | — | |
hash69e5ca8f0adbf17195e38055c6fa83190f3b9616 | — | |
hash7fe373376e0357624a1d21cd803ce62aa86738b6 | — | |
hash8de3c94e8a86eb48787a25bffca889a4176f54f2 | — | |
hash97866866d1ffaf4ff6be26e14f5b54cd044d4811 | — | |
hash9876f8650d75938f8a2e4fb4df4321cc819d0f58 | — | |
hashabeb2abdf0eb7bcab61605bae95618f394ba8835 | — | |
hashae9f4e39c576555faadee136c6c3b2d358ad90b9 | — | |
hashb801643e2d817931e6aa36e6bf24d1c42e9b8fdc | — | |
hashbb9643b443541320142e4049bf2e14810f442626 | — | |
hashd2a77c31c3e169bec655068e96cf4e7fc52e77b8 | — | |
hash0518a163b90e7246a349440164d02d10f31d514a7e5cce842b6cf5b3a0cc1bfa | — | |
hash05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461 | — | |
hash081804b491c70bfa63ecdbe9fd4618d3570706ad8b71dba13e234069648e5e48 | — | |
hash1579347265f948f9646931335d57e7960fe65dd429394be84b4ae15bca73dfde | — | |
hash2110a6e89d98a626f846ec8deccbac057300d194933ae0cbf1ef4831a4cc829e | — | |
hash2ef212f433b722b734d80b41a2364a41ca0453dbfe3e6ec8b951eca795075a02 | — | |
hash357c9daf6c4343286a9a85a27bc25defdc056877ce1be2943d2e8ede3bce022c | — | |
hash453d8bd3e2069bc50703eb4c5d278aad02304d4dc5d804ad2ec00b2343feb7a4 | — | |
hash4fe3c853ab237005f7d62324535dd641e1e095d1615a416a9b39e042f136cf6b | — | |
hash512877c98fd83cd51bb287da4462b44f9d276d7ce51890f4ded1b915a6d2d5e1 | — | |
hash56e51244e258c39293463c8cf02f5dddb085be90728fab147a60741cf014aa4d | — | |
hash58f2972c6a8fc743543f7b8c4df085c5cf2c6e674e5601e85eec60cd269cfb3c | — | |
hash666c50b8b772101b0e2e35ff1de52a278c2727027b54858e457571d296fec50b | — | |
hash73edc54abb3d6b8df6bd1e4a77c373314cbe99a660c8c6eea770673063f55503 | — | |
hash7dee2bd4e317d12c9a2923d0531526822cfd37eabfd7aecc74258bb4f2d3a643 | — | |
hash9ba02f8a985ec1a99ab7b78fa678f26c0273d91ae7cbe45b814e6775ec477598 | — | |
hasha61ecbe8a5372c85dcf5d077487f09d01e144128243793d2b97012440dcf106e | — | |
hasha795964bc2be442f142f5aea9886ddfd297ec898815541be37f18ffeae02d32f | — | |
hashb6995c31a7ee88392fc25fd6d1a3a7975b3cb4ec3a9a318c3fcfaaf89eb65ce1 | — | |
hashb9f6a9d4f837f5b8a5dc9987a91ba44bc7ae7f39aa692b5b21dba460f935a0ae | — | |
hashcbd1634cf7c638f2faf5e3ec79137db6704ec9de8df798fc46aeeed38de3da9b | — | |
hashceccb2339088fa2d6337082704bbf67f84eeb0d0b60ce5ab0ab7e1824002fa4c | — | |
hashd0cf9c1f87eac9b8879684a041dd6a2e1a0c15e185d4814a51adda19f9399a9b | — | |
hashd2359630e84f59984ac7ddebdece9313f0c05f4a1e7db90abadfd86047c12dd6 | — | |
hashd2e743216d17e97c8d1913d376d46095b740015f26a3c62a05e286573721d26c | — | |
hashdced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156 | — | |
hashe0aa5ef3af26681a8c8b46d95656580779d0ff3c2fe531b95a59ee918686e443 | — | |
hashf749c7e84809ffc3939eaed06ad90e15b0e11375f98d7348c0aa1bf35d3f0b8e | — | |
hashf9586fdf4e0a65b17ee32bc3c3f493a055409abde373720d594d27fd24adffa0 | — | |
hashfc885b323172106ab6f2f0cc77b609987384a38e3af41ad888d5389610d29daf | — | |
hashfde50c3a373ebc2661e08c99c1cb50dc34efc022a3880c317ab5b84108ef83aa | — | |
hashfe948451df90df80c8028b969bf89ecbf501401e7879805667c134080976ce2e | — | |
hashff32bc1c756d560d8a9815db458f438d63b1dcb7e9930ef5b8639a55fa7762c9 | — |
Threat ID: 697c728bac06320222401ed5
Added to database: 1/30/2026, 8:57:47 AM
Last enriched: 1/30/2026, 9:12:53 AM
Last updated: 1/31/2026, 6:02:47 AM
Views: 47
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
ThreatFox IOCs for 2026-01-30
MediumWhen Malware Talks Back
MediumMeet IClickFix: a widespread framework using the ClickFix tactic
MediumAttack on *stan: Your malware, my C2
MediumNFCShare Android Trojan: NFC card data theft via malicious APK
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.