North Korea’s Chollima Threat Actors Evolve and Expand Targeting
Reporting highlighted multiple, unrelated threat developments rather than a single cohesive incident. One thread focused on North Korea-linked Chollima activity: a targeted spear-phishing operation attributed to Ricochet Chollima used Dropbox-hosted lures to deliver archives containing weaponized Windows shortcut (.LNK) files, with tradecraft designed to evade detection (including multi-stage execution and fileless, memory-resident behavior). Separately, a CrowdStrike-based report described a strategic reorganization of LABYRINTH CHOLLIMA into three operational groupings—GOLDEN CHOLLIMA (smaller, steady revenue theft), PRESSURE CHOLLIMA (high-payout crypto heists), and a core espionage unit—while retaining shared malware “DNA” via frameworks such as KorDLL and Hawup, indicating continued coordination across DPRK cyber operations.
Other items covered distinct, non-DPRK activity and should not be conflated with the Chollima reporting. One article described infostealer campaigns expanding to macOS, including Python-based cross-platform stealers and macOS families such as Atomic macOS Stealer (AMOS), using malvertising, fake installers/DMGs, and trusted platforms to harvest credentials, cookies, keychain data, crypto wallets, and developer secrets. Another described a fake Dropbox phishing campaign using PDF-based staging (including obfuscation techniques like FlateDecode and AcroForm objects) hosted on legitimate infrastructure (e.g., Vercel Blob storage) to redirect victims to a counterfeit login page and exfiltrate credentials via Telegram—a separate credential-harvesting operation not tied to the Chollima APT reporting.
Timeline
Feb 3, 2026
Analysis published on Ricochet Chollima's LNK-based malware campaign
Genians Security Center and an analyst identified as S3N4T0R documented the stages, evasion methods, persistence, and Dropbox API-based command-and-control used in Operation: ToyBox Story. The public reporting revealed technical details of the campaign's infection chain and tradecraft.
Feb 3, 2026
CrowdStrike reports LABYRINTH CHOLLIMA split into three operational groups
CrowdStrike reported that the North Korean threat actor formerly known as LABYRINTH CHOLLIMA had restructured into GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and a core espionage unit retaining the LABYRINTH CHOLLIMA name. The report said the split enabled parallel espionage and cryptocurrency theft operations while the groups continued sharing tools and infrastructure.
Mar 1, 2025
Ricochet Chollima begins 'Operation: ToyBox Story' spear-phishing campaign
Starting in March 2025, Ricochet Chollima targeted activists and organizations focused on North Korea with spear-phishing emails impersonating trusted North Korea security experts. The campaign delivered Dropbox links to ZIP archives containing malicious LNK files that launched a multi-stage, largely fileless malware chain.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Affected Products
Sources
Related Stories
CrowdStrike Reports DPRK Labyrinth Chollima Split into Golden and Pressure Chollima Crypto-Theft Units
CrowdStrike reported that the long-running DPRK-linked activity it tracks as **Labyrinth Chollima** has diverged into three distinct operations, with two offshoots—**Golden Chollima** and **Pressure Chollima**—focused on cryptocurrency theft while the remaining Labyrinth Chollima activity concentrates on espionage. The split reflects increasing specialization: Labyrinth Chollima is described as targeting sectors including manufacturing, logistics, defense, and aerospace, while the crypto-focused units are assessed as generating revenue that supports the North Korean regime and, in part, its cyber operations. CrowdStrike tied **Golden Chollima** to sustained, lower-value theft operations against cryptocurrency/fintech targets and described a tooling lineage that includes **Jeus** (and macOS **AppleJeus**) and overlaps with components such as *PipeDown*, *DevobRAT*, *HTTPHelper*, and *Anycon*, alongside more recent cloud-focused tradecraft (e.g., recruitment-fraud delivery of malicious Python packages leading to cloud IAM/resource access and crypto diversion). **Pressure Chollima** was characterized as pursuing high-payout opportunities globally and was linked in public reporting to record-setting cryptocurrency thefts (including a cited **$1.46B** heist), with CrowdStrike assessing it as among the DPRK’s more technically advanced crypto-theft operators; despite specialization, the groups reportedly retain shared lineage (including ties to the broader *Lazarus Group* construct) and exhibit some shared tools/infrastructure suggesting centralized coordination.
1 months ago
North Korea-Linked Threat Activity and Reporting on Lazarus, IT Worker Schemes, and Related Malware
Multiple reports and threat-intel posts highlighted **North Korea-linked cyber activity** spanning social engineering, malware, and broader ecosystem analysis. AllSecure described an attempted compromise of a CEO via a **fake LinkedIn job interview** attributed to **Lazarus** tradecraft (tagged *BeaverTail* / *Contagious Interview*), indicating continued use of recruiter-style lures and developer tooling themes (e.g., *VSCode*) to gain execution on target systems. Separately, eSentire published technical analysis on the **DEV#POPPER remote access trojan** and associated **OmniStealer** activity, framing it as DPRK-linked malware and providing defensive guidance for organizations facing this threat class. Additional DPRK-focused intelligence covered both strategic and operational dimensions. Google’s *Cloud Threat Horizons Report H1 2026* discussed cloud-focused threat activity and tracked DPRK-linked clusters (including **UNC4899** and **UNC5267**), while Logpresso published an OSINT report on **DPRK remote IT worker** infiltration tactics (fraudulent employment/contractor placement). NKInternet released a catalog-style overview of **North Korea’s software export ecosystem**, and RedAsgard’s “Hunting Lazarus” series contributed hands-on investigative detail into Lazarus operator artifacts. A separate Lazarus threat-actor profile page aggregated historical reporting and statistics, but did not add a discrete new incident beyond compilation.
5 days ago
North Korean Threat Actors Use AI-Enabled IT Worker Scams and Target Crypto Firms
Microsoft-linked reporting says **North Korean threat actors** are using **AI** to scale and refine long-running “fake IT worker” schemes, where operatives pose as legitimate remote hires to obtain *authorized* access inside victim organizations. The activity is attributed to DPRK-linked clusters **Jasper Sleet** and **Coral Sleet**, with AI used to improve identity fabrication and maintenance (including face/voice manipulation) and to sustain day-to-day communications that help keep fraudulent personas credible, enabling “sustained, large-scale misuse of legitimate access.” Separately, reporting on suspected DPRK-linked intrusions describes a coordinated campaign against **cryptocurrency organizations** spanning staking platforms, exchange software providers, and exchanges, with theft of **source code, private keys, and cloud secrets**. Investigators described two primary access paths: exploitation of `CVE-2025-55182` in the *React2Shell* framework (including mass scanning and WAF-bypass techniques) and the use of **pre-obtained valid AWS access tokens** to move directly into cloud enumeration; researchers also recovered artifacts from attacker infrastructure (e.g., shell history, archived code, and tool configurations) that provided visibility into post-compromise activity and C2 setup.
1 months ago