CrowdStrike Reports DPRK Labyrinth Chollima Split into Golden and Pressure Chollima Crypto-Theft Units
CrowdStrike reported that the long-running DPRK-linked activity it tracks as Labyrinth Chollima has diverged into three distinct operations, with two offshoots—Golden Chollima and Pressure Chollima—focused on cryptocurrency theft while the remaining Labyrinth Chollima activity concentrates on espionage. The split reflects increasing specialization: Labyrinth Chollima is described as targeting sectors including manufacturing, logistics, defense, and aerospace, while the crypto-focused units are assessed as generating revenue that supports the North Korean regime and, in part, its cyber operations.
CrowdStrike tied Golden Chollima to sustained, lower-value theft operations against cryptocurrency/fintech targets and described a tooling lineage that includes Jeus (and macOS AppleJeus) and overlaps with components such as PipeDown, DevobRAT, HTTPHelper, and Anycon, alongside more recent cloud-focused tradecraft (e.g., recruitment-fraud delivery of malicious Python packages leading to cloud IAM/resource access and crypto diversion). Pressure Chollima was characterized as pursuing high-payout opportunities globally and was linked in public reporting to record-setting cryptocurrency thefts (including a cited $1.46B heist), with CrowdStrike assessing it as among the DPRK’s more technically advanced crypto-theft operators; despite specialization, the groups reportedly retain shared lineage (including ties to the broader Lazarus Group construct) and exhibit some shared tools/infrastructure suggesting centralized coordination.
Timeline
Jan 29, 2026
CrowdStrike publishes report on three-way split and IOCs
On January 29, 2026, CrowdStrike published research assessing that Labyrinth Chollima now operates as three distinct DPRK-linked adversaries with specialized malware and objectives. The report also provided indicators of compromise and malware samples to help defenders identify related activity.
Jan 1, 2025
Pressure Chollima linked to $1.46 billion crypto theft
CrowdStrike links Pressure Chollima to a record-breaking $1.46 billion cryptocurrency theft that occurred the year before the report. The incident is cited as evidence of the group's advanced capability and focus on high-value crypto heists.
Jan 1, 2020
Golden and Pressure Chollima shift to cryptocurrency theft
After the split, Golden Chollima and Pressure Chollima focused primarily on cryptocurrency and fintech theft to generate revenue for North Korea. CrowdStrike says this specialization became a core part of the regime's cyber-enabled fundraising.
Jan 1, 2020
Labyrinth Chollima splits into three DPRK-linked operations
Since around 2020, CrowdStrike assesses the original Labyrinth Chollima cluster splintered into three distinct but coordinated groups: Labyrinth Chollima, Golden Chollima, and Pressure Chollima. The groups retained some shared tools and infrastructure while specializing in different missions.
Jan 1, 2009
Labyrinth Chollima begins operations
CrowdStrike says the North Korea-linked activity cluster it tracks as Labyrinth Chollima has been active since 2009. This marks the start of the long-running DPRK cyber operation later assessed to have split into multiple units.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Malware
Organizations
Sources
Related Stories
North Korea’s Chollima Threat Actors Evolve and Expand Targeting
Reporting highlighted multiple, **unrelated** threat developments rather than a single cohesive incident. One thread focused on North Korea-linked **Chollima** activity: a targeted spear-phishing operation attributed to **Ricochet Chollima** used Dropbox-hosted lures to deliver archives containing weaponized Windows shortcut (`.LNK`) files, with tradecraft designed to evade detection (including multi-stage execution and fileless, memory-resident behavior). Separately, a CrowdStrike-based report described a strategic reorganization of **LABYRINTH CHOLLIMA** into three operational groupings—**GOLDEN CHOLLIMA** (smaller, steady revenue theft), **PRESSURE CHOLLIMA** (high-payout crypto heists), and a core **espionage** unit—while retaining shared malware “DNA” via frameworks such as **KorDLL** and **Hawup**, indicating continued coordination across DPRK cyber operations. Other items covered distinct, non-DPRK activity and should not be conflated with the Chollima reporting. One article described **infostealer campaigns expanding to macOS**, including Python-based cross-platform stealers and macOS families such as **Atomic macOS Stealer (AMOS)**, using malvertising, fake installers/DMGs, and trusted platforms to harvest credentials, cookies, keychain data, crypto wallets, and developer secrets. Another described a **fake Dropbox phishing** campaign using PDF-based staging (including obfuscation techniques like `FlateDecode` and `AcroForm` objects) hosted on legitimate infrastructure (e.g., Vercel Blob storage) to redirect victims to a counterfeit login page and exfiltrate credentials via **Telegram**—a separate credential-harvesting operation not tied to the Chollima APT reporting.
1 months ago
North Korean State-Backed Crypto Theft and Infrastructure Operations
North Korean state-sponsored threat actors, including the Lazarus Group and Kimsuky, have been responsible for a dramatic surge in global cryptocurrency theft in 2025, stealing at least $2.02 billion—over half of the total $3.4 billion stolen worldwide. The February compromise of the Bybit cryptocurrency exchange accounted for $1.5 billion of these losses, with the attack attributed to the TraderTraitor cluster, and further links established through malware infrastructure analysis. Lazarus Group, affiliated with North Korea's Reconnaissance General Bureau, has also been implicated in the theft of $36 million from Upbit and is estimated to have stolen over $6.75 billion cumulatively through a series of high-profile heists and campaigns. Recent collaborative research by Hunt.io and the Acronis Threat Research Unit has uncovered new operational infrastructure used by both Lazarus and Kimsuky across global campaigns. The investigation revealed active tool-staging servers, credential theft environments, and tunneling nodes, highlighting the interconnected nature of DPRK cyber operations. Despite evolving malware and tactics, these groups consistently reuse infrastructure, making their activities traceable across campaigns. The findings provide defenders with actionable intelligence on the infrastructure patterns and operational habits of North Korean threat actors, supporting efforts to detect and disrupt ongoing and future attacks.
1 months ago
North Korea-Linked Threat Activity and Reporting on Lazarus, IT Worker Schemes, and Related Malware
Multiple reports and threat-intel posts highlighted **North Korea-linked cyber activity** spanning social engineering, malware, and broader ecosystem analysis. AllSecure described an attempted compromise of a CEO via a **fake LinkedIn job interview** attributed to **Lazarus** tradecraft (tagged *BeaverTail* / *Contagious Interview*), indicating continued use of recruiter-style lures and developer tooling themes (e.g., *VSCode*) to gain execution on target systems. Separately, eSentire published technical analysis on the **DEV#POPPER remote access trojan** and associated **OmniStealer** activity, framing it as DPRK-linked malware and providing defensive guidance for organizations facing this threat class. Additional DPRK-focused intelligence covered both strategic and operational dimensions. Google’s *Cloud Threat Horizons Report H1 2026* discussed cloud-focused threat activity and tracked DPRK-linked clusters (including **UNC4899** and **UNC5267**), while Logpresso published an OSINT report on **DPRK remote IT worker** infiltration tactics (fraudulent employment/contractor placement). NKInternet released a catalog-style overview of **North Korea’s software export ecosystem**, and RedAsgard’s “Hunting Lazarus” series contributed hands-on investigative detail into Lazarus operator artifacts. A separate Lazarus threat-actor profile page aggregated historical reporting and statistics, but did not add a discrete new incident beyond compilation.
5 days ago