Hydra Tactics: North Korea’s LABYRINTH CHOLLIMA Splits to Hunt Crypto & Secrets
Ddos 
One of North Korea’s most aggressive cyber units has undergone a major strategic evolution, splitting into three distinct operational groups to better target global finance and intelligence. According to a new report from CrowdStrike, the threat actor formerly known as LABYRINTH CHOLLIMA has segmented into specialized teams: GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and a core espionage unit that retains the original name.
This restructuring marks a significant shift in the DPRK’s cyber strategy, moving from a monolithic threat to a diversified portfolio of adversaries capable of simultaneously pursuing espionage and high-value theft.
The report details how the group, originally famous for the WannaCry ransomware attack, has evolved since 2018. The new structure allows each subgroup to specialize in different types of targets and tradecraft.
- GOLDEN CHOLLIMA: This group focuses on “baseline revenue generation” through consistent, smaller-value thefts. Targeting fintech firms in the U.S., South Korea, and Europe, they use tools like Jeus and AppleJeus to drain cryptocurrency wallets.
- PRESSURE CHOLLIMA: Described as one of the “most technically advanced adversaries,” this unit hunts for “high-payout opportunities regardless of geography”. They are responsible for the largest cryptocurrency heists on record, often hitting centralized exchanges with sophisticated implants.
- LABYRINTH CHOLLIMA (Core): The original group has refocused purely on espionage. Their mandate is intelligence collection, targeting “defense, maritime, military, and nuclear” sectors.
Despite operating separately, the groups remain deeply interconnected. They share a “common origin in the KorDLL and Hawup frameworks,” which serves as the tactical DNA for their malware .
As the report explains: “Despite operating independently, these three adversaries share tools and infrastructure, indicating centralized coordination and resource allocation within the DPRK cyber ecosystem”.
This cross-pollination is evident in tools like FudModule, a sophisticated rootkit that employs direct kernel manipulation. Originally developed by the core espionage group, it has also been spotted in the hands of the financial thieves at GOLDEN CHOLLIMA .
The driving force behind this evolution appears to be financial necessity. With international sanctions tightening, the regime in Pyongyang is under pressure to fund its military ambitions.
“The financial motivation for GOLDEN CHOLLIMA and PRESSURE CHOLLIMA operations will likely intensify as international sanctions continue to cripple the DPRK’s economy,” the report states.
Revenue from these cyber heists is believed to directly fund strategic military projects, including “constructing new destroyers, building nuclear-powered submarines, and launching additional reconnaissance satellites”.
CrowdStrike warns that organizations in the crosshairs—specifically in cryptocurrency, defense, and logistics—must be on high alert. The groups heavily favor “employment-themed lures and trojanized legitimate software delivered via messaging platforms” like WhatsApp to gain their initial foothold.
As the lines between state-sponsored espionage and state-sponsored crime blur, the fracturing of LABYRINTH CHOLLIMA suggests that North Korea’s cyber capabilities are becoming more specialized, more efficient, and more dangerous.
Related Posts:
- North Korea’s Famous Chollima APT Uses Trojanized Node.js App to Deploy OtterCookie RAT for Crypto Theft
- Fighting AI Crawlers: Cloudflare Unleashes the AI Labyrinth
- PylangGhost: North Korean APT Deploys Python-Based RAT to Target Crypto Professionals
- Space Race: SpaceX Lands $2 Billion Contract for Trump’s “Golden Dome” Missile Defense
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
