LABYRINTH CHOLLIMA Evolves into Three Adversaries

Jan. 30, 2026, 8:57 a.m.

Description

The LABYRINTH CHOLLIMA threat group has split into three distinct adversaries: GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and core LABYRINTH CHOLLIMA. Each subgroup has specialized malware, objectives, and tradecraft. GOLDEN CHOLLIMA and PRESSURE CHOLLIMA focus on cryptocurrency entities, while core LABYRINTH CHOLLIMA continues espionage operations targeting industrial, logistics, and defense companies. Despite operating independently, these groups share tools and infrastructure, indicating coordinated resource allocation within North Korea's cyber ecosystem. The evolution stems from the KorDLL malware framework, which spawned several malware families. Recent operations demonstrate cloud-focused tradecraft and the use of zero-day vulnerabilities to deliver malware.

External References

https://otx.alienvault.com/pulse/697c706415974488f8933c8c
https://www.crowdstrike.com/en-us/blog/labyrinth-chollima-evolves-into-three-adversaries/
Tags
espionage
north korea
fudmodule
cryptocurrency
zero-day
cloud
fintech
dprk
applejeus
manuscrypt
2026-01-30
alertconf
anycon
backdoor.apt.fakewinhttphelper
brambul
bubblewrap
citriloader
devobrat
dozer
ghostship
hawup
hawup rat
hiberrat
hoplight
httphoplight
joanap
kordll
kordll bot
koredos
magikcookie
matanet
neddnloader
nodalbaker
openssl downloader
pipedown
scuzzyfuss
snakebaker
sparkdownloader
stackeyflate
statussymbol
swdownloader
twopence electric
undergroundrat
winwebdown

Date

  • Created: Jan. 30, 2026, 8:48 a.m.
  • Published: Jan. 30, 2026, 8:48 a.m.
  • Modified: Jan. 30, 2026, 8:57 a.m.

Indicators

  • f749c7e84809ffc3939eaed06ad90e15b0e11375f98d7348c0aa1bf35d3f0b8e
  • 512877c98fd83cd51bb287da4462b44f9d276d7ce51890f4ded1b915a6d2d5e1
  • d2359630e84f59984ac7ddebdece9313f0c05f4a1e7db90abadfd86047c12dd6
  • 666c50b8b772101b0e2e35ff1de52a278c2727027b54858e457571d296fec50b
  • 4fe3c853ab237005f7d62324535dd641e1e095d1615a416a9b39e042f136cf6b
  • 1579347265f948f9646931335d57e7960fe65dd429394be84b4ae15bca73dfde
  • b9f6a9d4f837f5b8a5dc9987a91ba44bc7ae7f39aa692b5b21dba460f935a0ae
  • a795964bc2be442f142f5aea9886ddfd297ec898815541be37f18ffeae02d32f
  • fc885b323172106ab6f2f0cc77b609987384a38e3af41ad888d5389610d29daf
  • d2e743216d17e97c8d1913d376d46095b740015f26a3c62a05e286573721d26c
  • 2ef212f433b722b734d80b41a2364a41ca0453dbfe3e6ec8b951eca795075a02
  • ceccb2339088fa2d6337082704bbf67f84eeb0d0b60ce5ab0ab7e1824002fa4c
  • 0518a163b90e7246a349440164d02d10f31d514a7e5cce842b6cf5b3a0cc1bfa
  • d0cf9c1f87eac9b8879684a041dd6a2e1a0c15e185d4814a51adda19f9399a9b
  • fe948451df90df80c8028b969bf89ecbf501401e7879805667c134080976ce2e
  • 58f2972c6a8fc743543f7b8c4df085c5cf2c6e674e5601e85eec60cd269cfb3c
  • 081804b491c70bfa63ecdbe9fd4618d3570706ad8b71dba13e234069648e5e48
  • cbd1634cf7c638f2faf5e3ec79137db6704ec9de8df798fc46aeeed38de3da9b
  • 7dee2bd4e317d12c9a2923d0531526822cfd37eabfd7aecc74258bb4f2d3a643
  • 56e51244e258c39293463c8cf02f5dddb085be90728fab147a60741cf014aa4d
  • 2110a6e89d98a626f846ec8deccbac057300d194933ae0cbf1ef4831a4cc829e
  • 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461
  • 73edc54abb3d6b8df6bd1e4a77c373314cbe99a660c8c6eea770673063f55503
  • 357c9daf6c4343286a9a85a27bc25defdc056877ce1be2943d2e8ede3bce022c
  • a61ecbe8a5372c85dcf5d077487f09d01e144128243793d2b97012440dcf106e
  • f9586fdf4e0a65b17ee32bc3c3f493a055409abde373720d594d27fd24adffa0
  • dced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156
  • e0aa5ef3af26681a8c8b46d95656580779d0ff3c2fe531b95a59ee918686e443
  • fde50c3a373ebc2661e08c99c1cb50dc34efc022a3880c317ab5b84108ef83aa
  • 9ba02f8a985ec1a99ab7b78fa678f26c0273d91ae7cbe45b814e6775ec477598
  • b6995c31a7ee88392fc25fd6d1a3a7975b3cb4ec3a9a318c3fcfaaf89eb65ce1
  • ff32bc1c756d560d8a9815db458f438d63b1dcb7e9930ef5b8639a55fa7762c9
  • 453d8bd3e2069bc50703eb4c5d278aad02304d4dc5d804ad2ec00b2343feb7a4
Download all indicators here!

Attack Patterns

  • SwDownloader
  • Brambul
  • AppleJeus - S0584
  • KorDLL Bot
  • Scuzzyfuss
  • AlertConf
  • CitriLoader
  • BUBBLEWRAP
  • StatusSymbol
  • DevobRAT
  • HTTPHoplight
  • Manuscrypt
  • OpenSSL Downloader
  • BUBBLEWRAP - S0043
  • PipeDown
  • Dozer
  • Hawup RAT
  • SparkDownloader
  • FudModule
  • UnderGroundRAT
  • WinWebDown
  • NodalBaker
  • Koredos
  • GhostShip
  • MataNet
  • Anycon
  • TwoPence Electric
  • SnakeBaker
  • MagikCookie
  • HOPLIGHT - S0376
  • HiberRAT
  • Stackeyflate
  • NedDnLoader
  • Joanap
  • Lazarus Group

Additional Informations

  • Finance
  • Technology
  • Defense
  • Government
  • India
  • British Indian Ocean Territory
  • Canada
  • United States of America