lazarusholic

Everyday is lazarus.dayβ

FamousChollima

Formerly tracked by CrowdStrike Intelligence as the BadClone activity cluster, FAMOUS CHOLLIMA has been active since at least 2018. The adversary primarily conducts operations to illicitly obtain freelance or full-time equivalent (FTE) work to earn a salary that can be funneled to North Korea. The adversary has also deployed the custom malware families BeaverTail and InvisibleFerret

2024-08-07, CrowdStrike
https://www.crowdstrike.com/adversaries/famous-chollima/
"Formerly tracked by CrowdStrike Intelligence as the BadClone activity cluster, FAMOUS CHOLLIMA has been active since at least 2018. The adversary primarily conducts operations to illicitly obtain freelance or full-time equivalent (FTE) work to earn a salary that can be funneled to North Korea. The adversary has also deployed the custom malware families BeaverTail and InvisibleFerret as well as rem..."

- CrowdStrike, https://www.crowdstrike.com/adversaries/famous-chollima/

Also known as

 
Name Named by AKA First seen Last seen
ContagiousInterview PaloaltoNetworks FamousChollima 2024-10-09 2026-05-31
ElusiveComet SecurityAlliance FamousChollima 2025-03-24 2025-04-17
FamousChollima CrowdStrike - 2024-08-07 2026-05-31
G1052 MITRE ContagiousInterview 2025-10-19 2025-10-19
GwisinGang DtexSystems FamousChollima 2025-05-14 2025-05-14
HexagonalRodent Expel FamousChollima 2026-04-23 2026-04-30
JasperSleet Microsoft FamousChollima 2025-06-30 2026-04-21
NickelAlley SecureWorks PurpleBravo 2026-03-23 2026-03-23
NickelTapestry SecureWorks FamousChollima 2024-10-16 2025-05-08
PolinRider OSM ContagiousInterview 2026-03-08 2026-04-12
PurpleBravo RecordedFuture FamousChollima 2025-02-13 2026-01-21
Storm-0287 Microsoft JasperSleet 2025-06-30 2025-06-30
TAG-120 RecordedFuture PurpleBravo 2025-02-13 2025-02-13
TenaciousPungsan Datadog FamousChollima 2024-10-24 2024-10-24
UNC5267 Mandiant FamousChollima 2024-09-23 2026-03-09
UNC5342 Mandiant FamousChollima 2025-04-24 2025-10-16
VoidDokkaebi TrendMicro FamousChollima 2025-04-23 2026-05-22
WaterPlum NTTSecurity FamousChollima 2025-05-08 2026-03-17

Reports

2026-05-31
Socket
Famous Chollima Targets PHP Developers Through Compromised Packagist Package
#ContagiousInterview #FamousChollima
2026-05-28
SafeDep
Inside MicrosoftSystem64: A Supply Chain RAT Exfiltrating to HuggingFace
#FamousChollima #HuggingFace #NPM
2026-05-14
CrowdStrike
CrowdStrike 2026 Financial Services Threat Landscape Report
#FamousChollima #GoldenChollima #PressureChollima #StardustChollima
2026-05-01
Kmsec
North Korea's abuse of Cloudflare Workers and Pages
#FamousChollima #NPM #PylangGhost
2026-04-29
ReversingLabs
Claude adds PromptMink malicious dependency to crypto agent
#FamousChollima #PromptMink
2026-04-13
Bitso
North Korea's Safari: Hunting for RATs
#ClickFix #FamousChollima
2026-04-10
Panther
Polymarket Trader Funds at Risk: DPRK npm Package Steals Wallet Keys and Installs SSH Backdoor
#FamousChollima #NPM
2026-04-03
Panther
jsonspack: Multi-Tenant Node.js RAT â DPRK Supply Chain Campaign
#FamousChollima #NPM
2026-03-19
Bitso
Smile, you’re on camera! Livestreaming from North Korea’s IT workers laptop farm
#FamousChollima #ITWorker #Youtube
2026-03-17
Kmsec
Contagious Trader campaign - Coordinated weaponisation of cryptocurrency trading bots by suspected DPRK malware operators
#ContagiousTrader #FamousChollima #NPM
2026-03-13
Kmsec
First instance of PylangGhost RAT observed on npm
#FamousChollima #PylangGhost #NPM
2026-03-09
SerapHim
Contagious Interview Campaign: Independent Analysis of the StegaBin Wave
#ContagiousInterview #FamousChollima #StegaBin
2026-03-05
Bitso
North Korea's Safari: Poaching for Gophers
#FamousChollima #ClickFix
2026-02-27
Socket
StegaBin: 26 Malicious npm Packages Use Pastebin Steganograp...
#ContagiousInterview #FamousChollima #NPM #Steganography #StegaBin
2026-02-26
Kmsec
Novel DPRK stager using Pastebin and text steganography
#FamousChollima #NPM #Steganography
2026-02-24
CrowdStrike
CrowdStrike 2026 Global Threat Report: Evasive Adversary Wields AI
#FamousChollima #PressureChollima #StardustChollima #Trend
2026-02-22
Kmsec
Tracking DPRK operator IPs over time
#FamousChollima #NPM
2026-02-21
Kmsec
DPRK tests Google Drive as a malware stager
#FamousChollima #NPM
2026-02-21
Bitso
North Korea's Safari: Poaching for Armadillos
#Armadillos #FamousChollima
2026-02-16
Kmsec
Exposed DPRK reference malware and logs
#FamousChollima #NPM
2026-02-13
Kmsec
VMWare artifacts left by a FAMOUS CHOLLIMA operator
#FamousChollima #NPM
2026-02-12
BoringSecurity
Famous Chollima and Dragon Sickness
#ContagiousInterview #FamousChollima #VSCode
2026-01-19
Ahnlab
December 2025 APT Group Trends
#FamousChollima #Lazarus #Trend
2026-01-19
Ahnlab
2025년 12월 APT 그룹 동향 보고서
#FamousChollima #Lazarus #Trend
2025-12-12
Ahnlab
2025년 11월 APT 그룹 동향 보고서
#FamousChollima #Kimsuky #Konni #Trend
2025-12-04
AnyRun
How We Caught Lazarus's IT Workers Scheme Live on Camera
#ITWorker #FamousChollima
2025-11-17
SOCRadar
The Deepfake Threat: Chollima APT Group Uses AI Filters to Infiltrate Crypto and Web3 Companies
#Deepfake #FamousChollima
2025-11-13
RansomISAC
Cross-Chain TxDataHiding Crypto Heist: A Very Chainful Process (Part 3)
#EtherHiding #FamousChollima
2025-11-12
Ahnlab
2025년 10월 APT 그룹 동향 보고서
#FamousChollima #Larva-25004 #Trend
2025-11-11
Bitso
Interview with the Chollima VI
#FamousChollima
2025-11-08
Bitso
Interview with the Chollima V
#FamousChollima
2025-11-03
Bitso
Interview with the Chollima IV
#FamousChollima
2025-10-30
Bitso
Interview with the Chollima III
#FamousChollima
2025-10-24
PolySwarm
Famous Chollima Evolves Its Arsenal, Merging BeaverTail and OtterCookie
#BeaverTail #FamousChollima #OtterCookie
2025-10-16
CiscoTalos
BeaverTail and OtterCookie evolve with a new Javascript module
#BeaverTail #OtterCookie #FamousChollima
2025-10-01
ENISA
ENISA Threat Landscape 2025
#Trend #FamousChollima #Lazarus
2025-08-27
Anthropic
Detecting and countering misuse of AI: August 2025
#ITWorker #ContagiousInterview #FamousChollima
2025-08-06
AnyRun
PyLangGhost RAT: Rising Data Stealer from Lazarus Group Targeting Finance and Technology
#ClickFix #FamousChollima #PylangGhost
2025-08-04
CrowdStrike
CrowdStrike 2025 Threat Hunting Report: AI Becomes a Weapon and a Target
#FamousChollima #Trend
2025-08-02
S3N4T0R
Famous Chollima APT Adversary Simulation
#FamousChollima
2025-06-26
Bitso
Interview with the Chollima II
#FamousChollima
2025-06-23
PolySwarm
Famous Chollima’s PylangGhost
#FamousChollima #PylangGhost
2025-06-18
CiscoTalos
Famous Chollima deploying Python version of GolangGhost RAT
#ClickFix #FamousChollima #PylangGhost
2025-04-24
Silentpush
Contagious Interview (DPRK) Launches a New Campaign Creating Three Front Companies to Deliver a Trio of Malware
#BeaverTail #ContagiousInterview #InvisibleFerret #OtterCookie #FamousChollima #ClickFix
2025-04-11
Bitso
Interview with the Chollima
#ContagiousInterview #OtterCookie #FamousChollima
2025-04-07
Fortune
Thousands of North Korean IT workers have infiltrated the Fortune 500—and they keep getting hired for more jobs
#FamousChollima #ITWorker #News
2025-02-28
Silentpush
Astrill VPN: Silent Push Publicly Releases New IPs on VPN Service Heavily Used by North Korean Threat Actors
#ContagiousInterview #FamousChollima
2025-02-27
CrowdStrike
2025 Global Threat Report
#FamousChollima #LabyrinthChollima #Trend
2024-12-13
CrowdStrike
Technical Case Study: Defend Against Insider Threats
#FamousChollima
2024-12-13
PolySwarm
2024 Recap - North Korean Threat Actor Activity
#MoonstoneSleet #FamousChollima #LabyrinthChollima #RicochetChollima #SilentChollima #StardustChollima #VelvetChollima
2024-10-29
SecurityScorecard
The Job Offer That Wasn’t: How We Stopped an Espionage Plot
#BeaverTail #FamousChollima #InvisibleFerret
2024-10-29
Macnica
北からのジョブオファー: ソフトウェア開発者を狙うContagious Interview
#FamousChollima #InvisibleFerret #ContagiousInterview #BeaverTail
2024-08-20
CrowdStrike
Hunting the Rogue Insiders Operating for FAMOUS CHOLLIMA
#FamousChollima #Podcast
2024-08-07
CrowdStrike
CrowdStrike 2024 Threat Hunting Report
#FamousChollima #Trend #BeaverTail #InvisibleFerret #ITWorker