LABYRINTH CHOLLIMA Evolves into Three Adversaries
Essential information
- Published
- 30/01/2026 08:48
- Modified
- 30/01/2026 08:57
- Tags
- 2026-01-30 alertconf anycon applejeus backdoor.apt.fakewinhttphelper brambul bubblewrap citriloader cloud cryptocurrency devobrat dozer dprk espionage fintech fudmodule ghostship hawup hawup rat hiberrat hoplight httphoplight joanap kordll kordll bot koredos magikcookie manuscrypt matanet neddnloader nodalbaker north korea openssl downloader pipedown scuzzyfuss snakebaker sparkdownloader stackeyflate statussymbol swdownloader twopence electric undergroundrat winwebdown zero-day
- Related entities
- 33 observables, 1 intrusion sets (apt), 18 techniques (mitre), 34 malware, 8 others
Description
The LABYRINTH CHOLLIMA threat group has split into three distinct adversaries: GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and core LABYRINTH CHOLLIMA. Each subgroup has specialized malware, objectives, and tradecraft. GOLDEN CHOLLIMA and PRESSURE CHOLLIMA focus on cryptocurrency entities, while core LABYRINTH CHOLLIMA continues espionage operations targeting industrial, logistics, and defense companies. Despite operating independently, these groups share tools and infrastructure, indicating coordinated resource allocation within North Korea's cyber ecosystem. The evolution stems from the KorDLL malware framework, which spawned several malware families. Recent operations demonstrate cloud-focused tradecraft and the use of zero-day vulnerabilities to deliver malware.