LABYRINTH CHOLLIMA Evolves into Three Adversaries
The LABYRINTH CHOLLIMA threat group has split into three distinct adversaries: GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and core LABYRINTH CHOLLIMA. Each subgroup has specialized malware, objectives, and tradecraft. GOLDEN CHOLLIMA and PRESSURE CHOLLIMA focus on cryptocurrency entities, while core LABYRINTH CHOLLIMA continues espionage operations targeting industrial, logistics, and defense companies. Despite operating independently, these groups share tools and infrastructure, indicating coordinated resource allocation within North Korea's cyber ecosystem. The evolution stems from the KorDLL malware framework, which spawned several malware families. Recent operations demonstrate cloud-focused tradecraft and the use of zero-day vulnerabilities to deliver malware.
AI Analysis
Technical Summary
LABYRINTH CHOLLIMA is a North Korean cyber threat group that has recently evolved into three separate but related adversaries: GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and the core LABYRINTH CHOLLIMA. This split reflects a strategic specialization where GOLDEN and PRESSURE CHOLLIMA primarily target cryptocurrency-related entities, aiming to steal digital assets, while the core group continues espionage campaigns against industrial, logistics, and defense sectors. All three subgroups share a common malware lineage based on the KorDLL malware framework, which has spawned multiple malware families such as Manuscrypt, Brambul, Hiberrat, and others. Their operations demonstrate sophisticated tradecraft, including the use of cloud infrastructure for command and control, and the exploitation of zero-day vulnerabilities to deliver malware payloads stealthily. The shared tools and infrastructure suggest coordinated resource allocation within North Korea’s cyber ecosystem, enhancing operational efficiency and persistence. The threat actors employ a wide range of tactics, techniques, and procedures (TTPs) mapped to MITRE ATT&CK techniques such as T1190 (exploitation of remote services), T1071 (command and control), T1059 (command execution), and T1566 (phishing), among others. Despite the absence of publicly known exploits in the wild, the use of zero-days and advanced malware families indicates a medium level of threat severity. This evolution complicates detection and response efforts due to the diversity of targets and malware capabilities, requiring defenders to adopt multi-faceted detection strategies and threat intelligence integration.
Potential Impact
For European organizations, the LABYRINTH CHOLLIMA evolution poses significant risks primarily in the fintech, cryptocurrency, industrial, logistics, and defense sectors. Cryptocurrency exchanges and fintech firms face direct financial theft risks from GOLDEN and PRESSURE CHOLLIMA subgroups, potentially resulting in substantial monetary losses and reputational damage. Industrial, logistics, and defense companies targeted by the core group risk espionage, intellectual property theft, and disruption of critical supply chains, which could undermine national security and economic stability. The use of zero-day vulnerabilities and cloud-based tradecraft increases the likelihood of successful breaches, even in well-defended environments. Given Europe's reliance on cloud infrastructure and the strategic importance of its defense and industrial sectors, these attacks could lead to data breaches, operational disruptions, and loss of sensitive information. The shared infrastructure among subgroups also means that a compromise in one sector could facilitate lateral movement or collateral damage in others. Overall, the threat could degrade trust in digital financial services and compromise critical infrastructure resilience across Europe.
Mitigation Recommendations
European organizations should implement targeted detection and response strategies focusing on the KorDLL malware framework and its variants. This includes deploying advanced endpoint detection and response (EDR) solutions capable of identifying behaviors associated with Manuscrypt, Brambul, Hiberrat, and related malware families. Enhanced monitoring of cloud environments is critical, with emphasis on detecting anomalous command and control traffic and unauthorized access attempts. Organizations should prioritize patching and vulnerability management, especially for zero-day vulnerabilities disclosed or exploited by these groups, and maintain active threat intelligence sharing with industry peers and government agencies to stay updated on emerging TTPs. Network segmentation and strict access controls can limit lateral movement if a breach occurs. Multi-factor authentication (MFA) and phishing-resistant authentication methods should be enforced to mitigate social engineering risks. Incident response plans must be updated to address the complexity of multi-vector attacks involving both financial theft and espionage. Finally, organizations in high-risk sectors should consider threat hunting exercises focused on indicators of compromise related to LABYRINTH CHOLLIMA’s toolset and infrastructure.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Sweden, Belgium, Poland, Spain
Indicators of Compromise
- hash: 0c75ecf9f4943de4269ccf98d7391303
- hash: 0f394734c65d44915060b36a0b1a972d
- hash: 18644822140eda7493bd75ba1e1f235d
- hash: 23e27e5482e3f55bf828dab885569033
- hash: 2462bab0fdd54fd2a2b8483297004e30
- hash: 2cf6a67e6043747d90e1bc0ce69a974a
- hash: 53d9af8829a9c7f6f177178885901c01
- hash: 5eac943e23429a77d9766078e760fc0b
- hash: 7fe80cee04003fed91c02e3a372f4b01
- hash: 9578c2be6437dcc8517e78a5de1fa975
- hash: 9c8b6a53cc3181c19865dc4d7433cbdf
- hash: a05b7f66351da5694fbed549a81cced8
- hash: a6a3aec659ab1a285fba3e93f4453160
- hash: aa96c24e08438db8e05eececf119a02e
- hash: 139b25e1ae32a8768238935a8c878bfbe2f89ef4
- hash: 2a900fbfdd65dafe6fadc4d5706e151c8b72230a
- hash: 426bc6bb3704441e5804d75ad020706f06b3db5d
- hash: 653dbc2416d439eca6e4a41c7d9b7e11aa1664b6
- hash: 69e5ca8f0adbf17195e38055c6fa83190f3b9616
- hash: 7fe373376e0357624a1d21cd803ce62aa86738b6
- hash: 8de3c94e8a86eb48787a25bffca889a4176f54f2
- hash: 97866866d1ffaf4ff6be26e14f5b54cd044d4811
- hash: 9876f8650d75938f8a2e4fb4df4321cc819d0f58
- hash: abeb2abdf0eb7bcab61605bae95618f394ba8835
- hash: ae9f4e39c576555faadee136c6c3b2d358ad90b9
- hash: b801643e2d817931e6aa36e6bf24d1c42e9b8fdc
- hash: bb9643b443541320142e4049bf2e14810f442626
- hash: d2a77c31c3e169bec655068e96cf4e7fc52e77b8
- hash: 0518a163b90e7246a349440164d02d10f31d514a7e5cce842b6cf5b3a0cc1bfa
- hash: 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461
- hash: 081804b491c70bfa63ecdbe9fd4618d3570706ad8b71dba13e234069648e5e48
- hash: 1579347265f948f9646931335d57e7960fe65dd429394be84b4ae15bca73dfde
- hash: 2110a6e89d98a626f846ec8deccbac057300d194933ae0cbf1ef4831a4cc829e
- hash: 2ef212f433b722b734d80b41a2364a41ca0453dbfe3e6ec8b951eca795075a02
- hash: 357c9daf6c4343286a9a85a27bc25defdc056877ce1be2943d2e8ede3bce022c
- hash: 453d8bd3e2069bc50703eb4c5d278aad02304d4dc5d804ad2ec00b2343feb7a4
- hash: 4fe3c853ab237005f7d62324535dd641e1e095d1615a416a9b39e042f136cf6b
- hash: 512877c98fd83cd51bb287da4462b44f9d276d7ce51890f4ded1b915a6d2d5e1
- hash: 56e51244e258c39293463c8cf02f5dddb085be90728fab147a60741cf014aa4d
- hash: 58f2972c6a8fc743543f7b8c4df085c5cf2c6e674e5601e85eec60cd269cfb3c
- hash: 666c50b8b772101b0e2e35ff1de52a278c2727027b54858e457571d296fec50b
- hash: 73edc54abb3d6b8df6bd1e4a77c373314cbe99a660c8c6eea770673063f55503
- hash: 7dee2bd4e317d12c9a2923d0531526822cfd37eabfd7aecc74258bb4f2d3a643
- hash: 9ba02f8a985ec1a99ab7b78fa678f26c0273d91ae7cbe45b814e6775ec477598
- hash: a61ecbe8a5372c85dcf5d077487f09d01e144128243793d2b97012440dcf106e
- hash: a795964bc2be442f142f5aea9886ddfd297ec898815541be37f18ffeae02d32f
- hash: b6995c31a7ee88392fc25fd6d1a3a7975b3cb4ec3a9a318c3fcfaaf89eb65ce1
- hash: b9f6a9d4f837f5b8a5dc9987a91ba44bc7ae7f39aa692b5b21dba460f935a0ae
- hash: cbd1634cf7c638f2faf5e3ec79137db6704ec9de8df798fc46aeeed38de3da9b
- hash: ceccb2339088fa2d6337082704bbf67f84eeb0d0b60ce5ab0ab7e1824002fa4c
- hash: d0cf9c1f87eac9b8879684a041dd6a2e1a0c15e185d4814a51adda19f9399a9b
- hash: d2359630e84f59984ac7ddebdece9313f0c05f4a1e7db90abadfd86047c12dd6
- hash: d2e743216d17e97c8d1913d376d46095b740015f26a3c62a05e286573721d26c
- hash: dced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156
- hash: e0aa5ef3af26681a8c8b46d95656580779d0ff3c2fe531b95a59ee918686e443
- hash: f749c7e84809ffc3939eaed06ad90e15b0e11375f98d7348c0aa1bf35d3f0b8e
- hash: f9586fdf4e0a65b17ee32bc3c3f493a055409abde373720d594d27fd24adffa0
- hash: fc885b323172106ab6f2f0cc77b609987384a38e3af41ad888d5389610d29daf
- hash: fde50c3a373ebc2661e08c99c1cb50dc34efc022a3880c317ab5b84108ef83aa
- hash: fe948451df90df80c8028b969bf89ecbf501401e7879805667c134080976ce2e
- hash: ff32bc1c756d560d8a9815db458f438d63b1dcb7e9930ef5b8639a55fa7762c9
LABYRINTH CHOLLIMA Evolves into Three Adversaries
Description
The LABYRINTH CHOLLIMA threat group has split into three distinct adversaries: GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and core LABYRINTH CHOLLIMA. Each subgroup has specialized malware, objectives, and tradecraft. GOLDEN CHOLLIMA and PRESSURE CHOLLIMA focus on cryptocurrency entities, while core LABYRINTH CHOLLIMA continues espionage operations targeting industrial, logistics, and defense companies. Despite operating independently, these groups share tools and infrastructure, indicating coordinated resource allocation within North Korea's cyber ecosystem. The evolution stems from the KorDLL malware framework, which spawned several malware families. Recent operations demonstrate cloud-focused tradecraft and the use of zero-day vulnerabilities to deliver malware.
AI-Powered Analysis
Technical Analysis
LABYRINTH CHOLLIMA is a North Korean cyber threat group that has recently evolved into three separate but related adversaries: GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and the core LABYRINTH CHOLLIMA. This split reflects a strategic specialization where GOLDEN and PRESSURE CHOLLIMA primarily target cryptocurrency-related entities, aiming to steal digital assets, while the core group continues espionage campaigns against industrial, logistics, and defense sectors. All three subgroups share a common malware lineage based on the KorDLL malware framework, which has spawned multiple malware families such as Manuscrypt, Brambul, Hiberrat, and others. Their operations demonstrate sophisticated tradecraft, including the use of cloud infrastructure for command and control, and the exploitation of zero-day vulnerabilities to deliver malware payloads stealthily. The shared tools and infrastructure suggest coordinated resource allocation within North Korea’s cyber ecosystem, enhancing operational efficiency and persistence. The threat actors employ a wide range of tactics, techniques, and procedures (TTPs) mapped to MITRE ATT&CK techniques such as T1190 (exploitation of remote services), T1071 (command and control), T1059 (command execution), and T1566 (phishing), among others. Despite the absence of publicly known exploits in the wild, the use of zero-days and advanced malware families indicates a medium level of threat severity. This evolution complicates detection and response efforts due to the diversity of targets and malware capabilities, requiring defenders to adopt multi-faceted detection strategies and threat intelligence integration.
Potential Impact
For European organizations, the LABYRINTH CHOLLIMA evolution poses significant risks primarily in the fintech, cryptocurrency, industrial, logistics, and defense sectors. Cryptocurrency exchanges and fintech firms face direct financial theft risks from GOLDEN and PRESSURE CHOLLIMA subgroups, potentially resulting in substantial monetary losses and reputational damage. Industrial, logistics, and defense companies targeted by the core group risk espionage, intellectual property theft, and disruption of critical supply chains, which could undermine national security and economic stability. The use of zero-day vulnerabilities and cloud-based tradecraft increases the likelihood of successful breaches, even in well-defended environments. Given Europe's reliance on cloud infrastructure and the strategic importance of its defense and industrial sectors, these attacks could lead to data breaches, operational disruptions, and loss of sensitive information. The shared infrastructure among subgroups also means that a compromise in one sector could facilitate lateral movement or collateral damage in others. Overall, the threat could degrade trust in digital financial services and compromise critical infrastructure resilience across Europe.
Mitigation Recommendations
European organizations should implement targeted detection and response strategies focusing on the KorDLL malware framework and its variants. This includes deploying advanced endpoint detection and response (EDR) solutions capable of identifying behaviors associated with Manuscrypt, Brambul, Hiberrat, and related malware families. Enhanced monitoring of cloud environments is critical, with emphasis on detecting anomalous command and control traffic and unauthorized access attempts. Organizations should prioritize patching and vulnerability management, especially for zero-day vulnerabilities disclosed or exploited by these groups, and maintain active threat intelligence sharing with industry peers and government agencies to stay updated on emerging TTPs. Network segmentation and strict access controls can limit lateral movement if a breach occurs. Multi-factor authentication (MFA) and phishing-resistant authentication methods should be enforced to mitigate social engineering risks. Incident response plans must be updated to address the complexity of multi-vector attacks involving both financial theft and espionage. Finally, organizations in high-risk sectors should consider threat hunting exercises focused on indicators of compromise related to LABYRINTH CHOLLIMA’s toolset and infrastructure.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.crowdstrike.com/en-us/blog/labyrinth-chollima-evolves-into-three-adversaries/"]
- Adversary
- LABYRINTH CHOLLIMA
- Pulse Id
- 697c706415974488f8933c8c
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash0c75ecf9f4943de4269ccf98d7391303 | — | |
hash0f394734c65d44915060b36a0b1a972d | — | |
hash18644822140eda7493bd75ba1e1f235d | — | |
hash23e27e5482e3f55bf828dab885569033 | — | |
hash2462bab0fdd54fd2a2b8483297004e30 | — | |
hash2cf6a67e6043747d90e1bc0ce69a974a | — | |
hash53d9af8829a9c7f6f177178885901c01 | — | |
hash5eac943e23429a77d9766078e760fc0b | — | |
hash7fe80cee04003fed91c02e3a372f4b01 | — | |
hash9578c2be6437dcc8517e78a5de1fa975 | — | |
hash9c8b6a53cc3181c19865dc4d7433cbdf | — | |
hasha05b7f66351da5694fbed549a81cced8 | — | |
hasha6a3aec659ab1a285fba3e93f4453160 | — | |
hashaa96c24e08438db8e05eececf119a02e | — | |
hash139b25e1ae32a8768238935a8c878bfbe2f89ef4 | — | |
hash2a900fbfdd65dafe6fadc4d5706e151c8b72230a | — | |
hash426bc6bb3704441e5804d75ad020706f06b3db5d | — | |
hash653dbc2416d439eca6e4a41c7d9b7e11aa1664b6 | — | |
hash69e5ca8f0adbf17195e38055c6fa83190f3b9616 | — | |
hash7fe373376e0357624a1d21cd803ce62aa86738b6 | — | |
hash8de3c94e8a86eb48787a25bffca889a4176f54f2 | — | |
hash97866866d1ffaf4ff6be26e14f5b54cd044d4811 | — | |
hash9876f8650d75938f8a2e4fb4df4321cc819d0f58 | — | |
hashabeb2abdf0eb7bcab61605bae95618f394ba8835 | — | |
hashae9f4e39c576555faadee136c6c3b2d358ad90b9 | — | |
hashb801643e2d817931e6aa36e6bf24d1c42e9b8fdc | — | |
hashbb9643b443541320142e4049bf2e14810f442626 | — | |
hashd2a77c31c3e169bec655068e96cf4e7fc52e77b8 | — | |
hash0518a163b90e7246a349440164d02d10f31d514a7e5cce842b6cf5b3a0cc1bfa | — | |
hash05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461 | — | |
hash081804b491c70bfa63ecdbe9fd4618d3570706ad8b71dba13e234069648e5e48 | — | |
hash1579347265f948f9646931335d57e7960fe65dd429394be84b4ae15bca73dfde | — | |
hash2110a6e89d98a626f846ec8deccbac057300d194933ae0cbf1ef4831a4cc829e | — | |
hash2ef212f433b722b734d80b41a2364a41ca0453dbfe3e6ec8b951eca795075a02 | — | |
hash357c9daf6c4343286a9a85a27bc25defdc056877ce1be2943d2e8ede3bce022c | — | |
hash453d8bd3e2069bc50703eb4c5d278aad02304d4dc5d804ad2ec00b2343feb7a4 | — | |
hash4fe3c853ab237005f7d62324535dd641e1e095d1615a416a9b39e042f136cf6b | — | |
hash512877c98fd83cd51bb287da4462b44f9d276d7ce51890f4ded1b915a6d2d5e1 | — | |
hash56e51244e258c39293463c8cf02f5dddb085be90728fab147a60741cf014aa4d | — | |
hash58f2972c6a8fc743543f7b8c4df085c5cf2c6e674e5601e85eec60cd269cfb3c | — | |
hash666c50b8b772101b0e2e35ff1de52a278c2727027b54858e457571d296fec50b | — | |
hash73edc54abb3d6b8df6bd1e4a77c373314cbe99a660c8c6eea770673063f55503 | — | |
hash7dee2bd4e317d12c9a2923d0531526822cfd37eabfd7aecc74258bb4f2d3a643 | — | |
hash9ba02f8a985ec1a99ab7b78fa678f26c0273d91ae7cbe45b814e6775ec477598 | — | |
hasha61ecbe8a5372c85dcf5d077487f09d01e144128243793d2b97012440dcf106e | — | |
hasha795964bc2be442f142f5aea9886ddfd297ec898815541be37f18ffeae02d32f | — | |
hashb6995c31a7ee88392fc25fd6d1a3a7975b3cb4ec3a9a318c3fcfaaf89eb65ce1 | — | |
hashb9f6a9d4f837f5b8a5dc9987a91ba44bc7ae7f39aa692b5b21dba460f935a0ae | — | |
hashcbd1634cf7c638f2faf5e3ec79137db6704ec9de8df798fc46aeeed38de3da9b | — | |
hashceccb2339088fa2d6337082704bbf67f84eeb0d0b60ce5ab0ab7e1824002fa4c | — | |
hashd0cf9c1f87eac9b8879684a041dd6a2e1a0c15e185d4814a51adda19f9399a9b | — | |
hashd2359630e84f59984ac7ddebdece9313f0c05f4a1e7db90abadfd86047c12dd6 | — | |
hashd2e743216d17e97c8d1913d376d46095b740015f26a3c62a05e286573721d26c | — | |
hashdced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156 | — | |
hashe0aa5ef3af26681a8c8b46d95656580779d0ff3c2fe531b95a59ee918686e443 | — | |
hashf749c7e84809ffc3939eaed06ad90e15b0e11375f98d7348c0aa1bf35d3f0b8e | — | |
hashf9586fdf4e0a65b17ee32bc3c3f493a055409abde373720d594d27fd24adffa0 | — | |
hashfc885b323172106ab6f2f0cc77b609987384a38e3af41ad888d5389610d29daf | — | |
hashfde50c3a373ebc2661e08c99c1cb50dc34efc022a3880c317ab5b84108ef83aa | — | |
hashfe948451df90df80c8028b969bf89ecbf501401e7879805667c134080976ce2e | — | |
hashff32bc1c756d560d8a9815db458f438d63b1dcb7e9930ef5b8639a55fa7762c9 | — |
Threat ID: 697c728bac06320222401ed5
Added to database: 1/30/2026, 8:57:47 AM
Last enriched: 1/30/2026, 9:12:53 AM
Last updated: 3/17/2026, 11:35:21 AM
Views: 159
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.