report-crowdstrike-2023-threat-hunting-report.pdf (1 MB)

CrowdStrike's 2023 threat hunting report highlights LABYRINTH CHOLLIMA as a DPRK adversary active across Windows, Linux, and macOS, including activity tied to the 3CX supply-chain compromise. CrowdStrike assesses the group is likely affiliated with Bureau 121 of the Reconnaissance General Bureau and describes its currency-generation operations as global in scope. The report says LABYRINTH CHOLLIMA targets financial technology and cryptocurrency organizations, updates tooling and tradecraft for Linux and macOS, and increasingly emphasizes operational security and defense evasion. CrowdStrike also notes that North Korean adversaries were the most aggressive state-sponsored actors targeting the financial sector during the reporting period.