Labyrinth Chollima Expands Activity, Spawns Offshoots

LABYRINTHCHOLLIMA 2026 Verticals Targeted: Cryptocurrency, Financial, Industrial, Manufacturing, Defense, Aerospace, Logistics, Shipping
Regions Targeted: United States, Canada, South Korea, India, Europe, Japan, Italy
Related Families: Multiple families per each threat actor

Executive Summary

Labyrinth Chollima operations have segmented into three distinct entities since 2018: Golden Chollima and Pressure Chollima, focused on cryptocurrency theft, and the core Labyrinth Chollima group, oriented toward espionage. Despite operational separation, the groups share tools, infrastructure, and tradecraft rooted in common malware frameworks, reflecting coordinated resource management within North Korea's cyber apparatus.

Key Takeaways

Labyrinth Chollima evolved from the Kordll framework (2009-2015) through Hawup into three specialized subgroups with divergent malware paths and objectives.
Golden Chollima conducts consistent, lower-value cryptocurrency thefts using tools like Jeus and Applejeus variants, malicious Python packages, and Chromium zero-days.
Pressure Chollima executes high-profile, large-scale cryptocurrency heists with advanced implants such as Sparkdownloader, Scuzzyfuss, and Twopence Electric.
Core Labyrinth Chollima prioritizes espionage against defense and industrial sectors, leveraging Fudmodule for kernel-level stealth and zero-day exploits in drivers, Chrome, and Windows.

Background

Labyrinth Chollima operations have segmented into three distinct entities since 2018: Golden Chollima and Pressure Chollima, focused on cryptocurrency theft, and the core Labyrinth Chollima group, oriented toward espionage. Despite operational separation, the groups share tools, infrastructure, and tradecraft rooted in common malware frameworks, reflecting coordinated resource management within North Korea's cyber apparatus. CrowdStrike reported on this activity and assigned the Golden Chollima and Pressure Chollima designations to the new activity clusters.

Labyrinth Chollim

CrowdStrike Intelligence now tracks Labyrinth Chollima more narrowly as the espionage-focused entity employing malware with Hoplight lineage. This shift recognizes the emergence of specialized subgroups Golden Chollima and Pressure Chollima around 2018-2020, each following independent malware development trajectories while originating from the Hawup framework. Shared code elements and infrastructure across the groups point to underlying coordination within the DPRK intelligence community, where successful tools and tactics proliferate.

Golden Chollima

Golden Chollima concentrates on economically advanced regions with robust cryptocurrency and fintech sectors, including the United States, Canada, South Korea, India, and Western Europe. Operations emphasize steady revenue through smaller-scale thefts, achieved via a dedicated toolkit. Initial campaigns from 2018 utilized Jeus and Applejeus, masquerading as cryptocurrency software from the fictitious Celas Limited entity. Subsequent variants exhibit shellcode overlaps with Pipedown, Devobrat, Httphelper, and Anycon. Recent activity incorporates cloud-focused techniques, such as delivering malicious Python packages through recruitment fraud to pivot into victim cloud environments for IAM manipulation and cryptocurrency diversion. Additional tradecraft includes exploitation of Chromium zero-days and deployment of Snakebaker and Nodalbaker at fintech targets.

Pressure Chollima

Pressure Chollima pursues high-impact cryptocurrency thefts without geographic constraints, linked to the largest recorded incidents and additional multi-million-dollar compromises through wallet reuse. The group deploys low-prevalence, technically sophisticated implants. Divergence from Labyrinth Chollima likely began in early 2019 with Swdownloader, succeeded by Sparkdownloader (akaTradertraitor). Contemporary campaigns employ malicious Node.js and Python projects to deliver Scuzzyfuss and Twopence Electric malware, marking one of the DPRK's most advanced financial adversaries.

Implications

Core Labyrinth Chollima maintains an espionage mandate, targeting manufacturing, defense, aerospace, logistics, and shipping entities, with emphasis on European defense firms, US, Japanese, and Italian manufacturers, and US critical infrastructure including hydroelectric facilities. The 2020 emergence aligns with subgroup separation, focusing on Hoplight-derived tools. The 2022 introduction of Fudmodule advanced capabilities through direct kernel manipulation and zero-day exploitation in vulnerable drivers, Chrome, and Windows. Cross-use by Golden Chollima underscores tool sharing. Delivery vectors in 2024-2025 included WhatsApp-based malicious ZIP files with trojanized applications and employment-themed social engineering tailored to industry roles.

This segmentation enhances the DPRK's capacity to pursue concurrent financial and intelligence objectives amid economic pressures from sanctions. Organizations in cryptocurrency, fintech, defense, manufacturing, and logistics sectors should maintain elevated awareness of DPRK-linked social engineering, particularly employment lures and trojanized software distributed via messaging platforms.

IOCs

PolySwarm has multiple samples of malware associated with each of these threat actor groups.

Labyrinth Chollima

7dee2bd4e317d12c9a2923d0531526822cfd37eabfd7aecc74258bb4f2d3a643

d2359630e84f59984ac7ddebdece9313f0c05f4a1e7db90abadfd86047c12dd6

4fe3c853ab237005f7d62324535dd641e1e095d1615a416a9b39e042f136cf6b

73edc54abb3d6b8df6bd1e4a77c373314cbe99a660c8c6eea770673063f55503

a795964bc2be442f142f5aea9886ddfd297ec898815541be37f18ffeae02d32f

453d8bd3e2069bc50703eb4c5d278aad02304d4dc5d804ad2ec00b2343feb7a4

05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461

dced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156

f749c7e84809ffc3939eaed06ad90e15b0e11375f98d7348c0aa1bf35d3f0b8e