{ "name": "LABYRINTH CHOLLIMA Evolves into Three Adversaries", "slug": "labyrinth-chollima-evolves-into-three-adversaries", "description": "The LABYRINTH CHOLLIMA threat group has split into three distinct adversaries: GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and core LABYRINTH CHOLLIMA. Each subgroup has specialized malware, objectives, and tradecraft. GOLDEN CHOLLIMA and PRESSURE CHOLLIMA focus on cryptocurrency entities, while core LABYRINTH CHOLLIMA continues espionage operations targeting industrial, logistics, and defense companies. Despite operating independently, these groups share tools and infrastructure, indicating coordinated resource allocation within North Korea's cyber ecosystem. The evolution stems from the KorDLL malware framework, which spawned several malware families. Recent operations demonstrate cloud-focused tradecraft and the use of zero-day vulnerabilities to deliver malware.", "published": "2026-01-30T07:48:36+00:00", "created_at": "2026-01-30T07:48:36+00:00", "modified_at": "2026-01-30T07:57:01+00:00", "created_at_opencti": "2026-01-30T07:48:36+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2026-01-30", "alertconf", "anycon", "applejeus", "backdoor.apt.fakewinhttphelper", "brambul", "bubblewrap", "citriloader", "cloud", "cryptocurrency", "devobrat", "dozer", "dprk", "espionage", "fintech", "fudmodule", "ghostship", "hawup", "hawup rat", "hiberrat", "hoplight", "httphoplight", "joanap", "kordll", "kordll bot", "koredos", "magikcookie", "manuscrypt", "matanet", "neddnloader", "nodalbaker", "north korea", "openssl downloader", "pipedown", "scuzzyfuss", "snakebaker", "sparkdownloader", "stackeyflate", "statussymbol", "swdownloader", "twopence electric", "undergroundrat", "winwebdown", "zero-day" ], "related_entities": { "observables": [ { "id": "", "name": "f749c7e84809ffc3939eaed06ad90e15b0e11375f98d7348c0aa1bf35d3f0b8e" }, { "id": "", "name": "512877c98fd83cd51bb287da4462b44f9d276d7ce51890f4ded1b915a6d2d5e1" }, { "id": "", "name": "d2359630e84f59984ac7ddebdece9313f0c05f4a1e7db90abadfd86047c12dd6" }, { "id": "", "name": "666c50b8b772101b0e2e35ff1de52a278c2727027b54858e457571d296fec50b" }, { "id": "", "name": "4fe3c853ab237005f7d62324535dd641e1e095d1615a416a9b39e042f136cf6b" }, { "id": "", "name": "1579347265f948f9646931335d57e7960fe65dd429394be84b4ae15bca73dfde" }, { "id": "", "name": "b9f6a9d4f837f5b8a5dc9987a91ba44bc7ae7f39aa692b5b21dba460f935a0ae" }, { "id": "", "name": "a795964bc2be442f142f5aea9886ddfd297ec898815541be37f18ffeae02d32f" }, { "id": "", "name": "fc885b323172106ab6f2f0cc77b609987384a38e3af41ad888d5389610d29daf" }, { "id": "", "name": "d2e743216d17e97c8d1913d376d46095b740015f26a3c62a05e286573721d26c" }, { "id": "", "name": "2ef212f433b722b734d80b41a2364a41ca0453dbfe3e6ec8b951eca795075a02" }, { "id": "", "name": "ceccb2339088fa2d6337082704bbf67f84eeb0d0b60ce5ab0ab7e1824002fa4c" }, { "id": "", "name": "0518a163b90e7246a349440164d02d10f31d514a7e5cce842b6cf5b3a0cc1bfa" }, { "id": "", "name": "d0cf9c1f87eac9b8879684a041dd6a2e1a0c15e185d4814a51adda19f9399a9b" }, { "id": "", "name": "fe948451df90df80c8028b969bf89ecbf501401e7879805667c134080976ce2e" }, { "id": "", "name": "58f2972c6a8fc743543f7b8c4df085c5cf2c6e674e5601e85eec60cd269cfb3c" }, { "id": "", "name": "081804b491c70bfa63ecdbe9fd4618d3570706ad8b71dba13e234069648e5e48" }, { "id": "", "name": "cbd1634cf7c638f2faf5e3ec79137db6704ec9de8df798fc46aeeed38de3da9b" }, { "id": "", "name": "7dee2bd4e317d12c9a2923d0531526822cfd37eabfd7aecc74258bb4f2d3a643" }, { "id": "", "name": "56e51244e258c39293463c8cf02f5dddb085be90728fab147a60741cf014aa4d" }, { "id": "", "name": "2110a6e89d98a626f846ec8deccbac057300d194933ae0cbf1ef4831a4cc829e" }, { "id": "", "name": "05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461" }, { "id": "", "name": "73edc54abb3d6b8df6bd1e4a77c373314cbe99a660c8c6eea770673063f55503" }, { "id": "", "name": "357c9daf6c4343286a9a85a27bc25defdc056877ce1be2943d2e8ede3bce022c" }, { "id": "", "name": "a61ecbe8a5372c85dcf5d077487f09d01e144128243793d2b97012440dcf106e" }, { "id": "", "name": "f9586fdf4e0a65b17ee32bc3c3f493a055409abde373720d594d27fd24adffa0" }, { "id": "", "name": "dced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156" }, { "id": "", "name": "e0aa5ef3af26681a8c8b46d95656580779d0ff3c2fe531b95a59ee918686e443" }, { "id": "", "name": "fde50c3a373ebc2661e08c99c1cb50dc34efc022a3880c317ab5b84108ef83aa" }, { "id": "", "name": "9ba02f8a985ec1a99ab7b78fa678f26c0273d91ae7cbe45b814e6775ec477598" }, { "id": "", "name": "b6995c31a7ee88392fc25fd6d1a3a7975b3cb4ec3a9a318c3fcfaaf89eb65ce1" }, { "id": "", "name": "ff32bc1c756d560d8a9815db458f438d63b1dcb7e9930ef5b8639a55fa7762c9" }, { "id": "", "name": "453d8bd3e2069bc50703eb4c5d278aad02304d4dc5d804ad2ec00b2343feb7a4" } ], "malware": [ { "id": "2519e583-a583-42cc-9b8a-b4603c6d0f46", "name": "SwDownloader", "slug": "swdownloader" }, { "id": "36ced30b-6cfa-4b77-ae2d-80cc6a787ec3", "name": "Brambul", "slug": "brambul" }, { "id": "legacy:malware:baadc0e10a7170ce", "name": "AppleJeus - S0584", "slug": "applejeus-s0584" }, { "id": "legacy:malware:1a87afa426a6ff48", "name": "KorDLL Bot", "slug": "kordll-bot" }, { "id": "legacy:malware:11ecbb5badcabd12", "name": "Scuzzyfuss", "slug": "scuzzyfuss" }, { "id": "legacy:malware:4eda66d6218a14e6", "name": "AlertConf", "slug": "alertconf" }, { "id": "legacy:malware:509f63bea3bc1955", "name": "CitriLoader", "slug": "citriloader" }, { "id": "legacy:malware:1445c4e34b43cefa", "name": "BUBBLEWRAP", "slug": "bubblewrap" }, { "id": "legacy:malware:13ae8fe99ffbae52", "name": "StatusSymbol", "slug": "statussymbol" }, { "id": "legacy:malware:8c0344d13daceb44", "name": "DevobRAT", "slug": "devobrat" }, { "id": "legacy:malware:a1f04933039df733", "name": "HTTPHoplight", "slug": "httphoplight" }, { "id": "legacy:malware:5cbc31344a4c8d92", "name": "Manuscrypt", "slug": "manuscrypt" }, { "id": "legacy:malware:a97f1e6d386fda2d", "name": "OpenSSL Downloader", "slug": "openssl-downloader" }, { "id": "legacy:malware:0c9ff2c4ea98e6a7", "name": "BUBBLEWRAP - S0043", "slug": "bubblewrap-s0043" }, { "id": "legacy:malware:4e287134768e4f34", "name": "PipeDown", "slug": "pipedown" }, { "id": "legacy:malware:dba3fcdd73b69b5a", "name": "Dozer", "slug": "dozer" }, { "id": "legacy:malware:d7d25791290ca9b4", "name": "Hawup RAT", "slug": "hawup-rat" }, { "id": "legacy:malware:ff596b5b3c32bd11", "name": "SparkDownloader", "slug": "sparkdownloader" }, { "id": "legacy:malware:f00a3a95e63744c3", "name": "FudModule", "slug": "fudmodule" }, { "id": "legacy:malware:53067e1275fce5c5", "name": "UnderGroundRAT", "slug": "undergroundrat" }, { "id": "legacy:malware:0c1d87be2b13e6b7", "name": "WinWebDown", "slug": "winwebdown" }, { "id": "legacy:malware:3e9208749951b5ab", "name": "NodalBaker", "slug": "nodalbaker" }, { "id": "legacy:malware:51650242c0ca049b", "name": "Koredos", "slug": "koredos" }, { "id": "legacy:malware:e56a481cc251da66", "name": "GhostShip", "slug": "ghostship" }, { "id": "legacy:malware:0d9dcb0fabf0e9e4", "name": "MataNet", "slug": "matanet" }, { "id": "legacy:malware:1c03505204065c49", "name": "Anycon", "slug": "anycon" }, { "id": "legacy:malware:7c28765f5d90256f", "name": "TwoPence Electric", "slug": "twopence-electric" }, { "id": "legacy:malware:9745dd2a77fa067a", "name": "SnakeBaker", "slug": "snakebaker" }, { "id": "legacy:malware:f1da221c3128fe62", "name": "MagikCookie", "slug": "magikcookie" }, { "id": "legacy:malware:2b5f13fb721fdd68", "name": "HOPLIGHT - S0376", "slug": "hoplight-s0376" }, { "id": "legacy:malware:cf2db11a66b3f2bb", "name": "HiberRAT", "slug": "hiberrat" }, { "id": "legacy:malware:39621bcff6ee0666", "name": "Stackeyflate", "slug": "stackeyflate" }, { "id": "legacy:malware:526868749e461835", "name": "NedDnLoader", "slug": "neddnloader" }, { "id": "legacy:malware:80aafb4b71aa07cd", "name": "Joanap", "slug": "joanap" } ], "intrusion_sets": [ { "id": "f84d0d4c-ec28-4155-b729-8e2c337a0d90", "name": "Lazarus Group", "slug": "lazarus-group" } ], "attack_patterns": [ { "id": "9f11a241-9abc-4c57-95dd-33955ab08826", "name": "T1078" }, { "id": "0b2b1ecd-d52e-492a-af08-050954bc03e5", "name": "T1056" }, { "id": "a72ebeae-8e62-4039-8135-e9c611011fdc", "name": "T1573" }, { "id": "53b3b18c-d0d0-4bf6-bc6b-2c0ab9180deb", "name": "T1070" }, { "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d", "name": "T1566" }, { "id": "fcd96dc0-500e-4354-bd97-5c65718a9004", "name": "T1562" }, { "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb", "name": "T1132" }, { "id": "09124a92-c11f-4571-b35b-ab0bce6dd081", "name": "T1112" }, { "id": "50514c04-b3a2-4abf-a855-e3a434200c87", "name": "T1204" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62", "name": "T1190" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" }, { "id": "b9eab970-53dd-4977-9a26-c4fe566e422d", "name": "T1133" }, { "id": "8598a502-2b24-4c8a-8ec3-45179f49e5b7", "name": "T1199" }, { "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e", "name": "T1071" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" } ], "others": [ { "id": "", "name": "India" }, { "id": "", "name": "British Indian Ocean Territory" }, { "id": "", "name": "Canada" }, { "id": "", "name": "United States of America" }, { "id": "", "name": "Finance" }, { "id": "", "name": "Technology" }, { "id": "", "name": "Defense" }, { "id": "", "name": "Government" } ] }, "external_refs": [ "https://otx.alienvault.com/pulse/697c706415974488f8933c8c", "https://www.crowdstrike.com/en-us/blog/labyrinth-chollima-evolves-into-three-adversaries/" ] }