Labyrinth Chollima Expands Activity, Spawns Offshoots
Contents
Verticals Targeted: Cryptocurrency, Financial, Industrial, Manufacturing, Defense, Aerospace, Logistics, Shipping
Regions Targeted: United States, Canada, South Korea, India, Europe, Japan, Italy
Related Families: Multiple families per each threat actor
Executive Summary
Labyrinth Chollima operations have segmented into three distinct entities since 2018: Golden Chollima and Pressure Chollima, focused on cryptocurrency theft, and the core Labyrinth Chollima group, oriented toward espionage. Despite operational separation, the groups share tools, infrastructure, and tradecraft rooted in common malware frameworks, reflecting coordinated resource management within North Korea's cyber apparatus.
Key Takeaways
- Labyrinth Chollima evolved from the Kordll framework (2009-2015) through Hawup into three specialized subgroups with divergent malware paths and objectives.
- Golden Chollima conducts consistent, lower-value cryptocurrency thefts using tools like Jeus and Applejeus variants, malicious Python packages, and Chromium zero-days.
- Pressure Chollima executes high-profile, large-scale cryptocurrency heists with advanced implants such as Sparkdownloader, Scuzzyfuss, and Twopence Electric.
- Core Labyrinth Chollima prioritizes espionage against defense and industrial sectors, leveraging Fudmodule …
Regions Targeted: United States, Canada, South Korea, India, Europe, Japan, Italy
Related Families: Multiple families per each threat actor
Executive Summary
Labyrinth Chollima operations have segmented into three distinct entities since 2018: Golden Chollima and Pressure Chollima, focused on cryptocurrency theft, and the core Labyrinth Chollima group, oriented toward espionage. Despite operational separation, the groups share tools, infrastructure, and tradecraft rooted in common malware frameworks, reflecting coordinated resource management within North Korea's cyber apparatus.
Key Takeaways
- Labyrinth Chollima evolved from the Kordll framework (2009-2015) through Hawup into three specialized subgroups with divergent malware paths and objectives.
- Golden Chollima conducts consistent, lower-value cryptocurrency thefts using tools like Jeus and Applejeus variants, malicious Python packages, and Chromium zero-days.
- Pressure Chollima executes high-profile, large-scale cryptocurrency heists with advanced implants such as Sparkdownloader, Scuzzyfuss, and Twopence Electric.
- Core Labyrinth Chollima prioritizes espionage against defense and industrial sectors, leveraging Fudmodule …
IoC
[email protected]
a61ecbe8a5372c85dcf5d077487f09d01e144128243793d2b97012440dcf106e
d0cf9c1f87eac9b8879684a041dd6a2e1a0c15e185d4814a51adda19f9399a9b
4fe3c853ab237005f7d62324535dd641e1e095d1615a416a9b39e042f136cf6b
9ba02f8a985ec1a99ab7b78fa678f26c0273d91ae7cbe45b814e6775ec477598
ff32bc1c756d560d8a9815db458f438d63b1dcb7e9930ef5b8639a55fa7762c9
73edc54abb3d6b8df6bd1e4a77c373314cbe99a660c8c6eea770673063f55503
f9586fdf4e0a65b17ee32bc3c3f493a055409abde373720d594d27fd24adffa0
d2359630e84f59984ac7ddebdece9313f0c05f4a1e7db90abadfd86047c12dd6
f749c7e84809ffc3939eaed06ad90e15b0e11375f98d7348c0aa1bf35d3f0b8e
512877c98fd83cd51bb287da4462b44f9d276d7ce51890f4ded1b915a6d2d5e1
56e51244e258c39293463c8cf02f5dddb085be90728fab147a60741cf014aa4d
7dee2bd4e317d12c9a2923d0531526822cfd37eabfd7aecc74258bb4f2d3a643
a795964bc2be442f142f5aea9886ddfd297ec898815541be37f18ffeae02d32f
05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461
dced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156
453d8bd3e2069bc50703eb4c5d278aad02304d4dc5d804ad2ec00b2343feb7a4
d2e743216d17e97c8d1913d376d46095b740015f26a3c62a05e286573721d26c
a61ecbe8a5372c85dcf5d077487f09d01e144128243793d2b97012440dcf106e
d0cf9c1f87eac9b8879684a041dd6a2e1a0c15e185d4814a51adda19f9399a9b
4fe3c853ab237005f7d62324535dd641e1e095d1615a416a9b39e042f136cf6b
9ba02f8a985ec1a99ab7b78fa678f26c0273d91ae7cbe45b814e6775ec477598
ff32bc1c756d560d8a9815db458f438d63b1dcb7e9930ef5b8639a55fa7762c9
73edc54abb3d6b8df6bd1e4a77c373314cbe99a660c8c6eea770673063f55503
f9586fdf4e0a65b17ee32bc3c3f493a055409abde373720d594d27fd24adffa0
d2359630e84f59984ac7ddebdece9313f0c05f4a1e7db90abadfd86047c12dd6
f749c7e84809ffc3939eaed06ad90e15b0e11375f98d7348c0aa1bf35d3f0b8e
512877c98fd83cd51bb287da4462b44f9d276d7ce51890f4ded1b915a6d2d5e1
56e51244e258c39293463c8cf02f5dddb085be90728fab147a60741cf014aa4d
7dee2bd4e317d12c9a2923d0531526822cfd37eabfd7aecc74258bb4f2d3a643
a795964bc2be442f142f5aea9886ddfd297ec898815541be37f18ffeae02d32f
05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461
dced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156
453d8bd3e2069bc50703eb4c5d278aad02304d4dc5d804ad2ec00b2343feb7a4
d2e743216d17e97c8d1913d376d46095b740015f26a3c62a05e286573721d26c