Labyrinth Chollima Evolves Into Three Adversaries
Summary:
CrowdStrike has re-evaluated the activity of LABYRINTH CHOLLIMA (historically associated with the "Lazarus Group") and determined that the entity has fractured into three distinct operational subgroups: GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and a refined core LABYRINTH CHOLLIMA. While all three share a common lineage and occasionally use overlapping infrastructure, they have diverged significantly in their mission sets and malware. The core LABYRINTH CHOLLIMA remains focused on high-stakes espionage, specifically targeting the defense, aerospace, and manufacturing sectors. In contrast, GOLDEN CHOLLIMA and PRESSURE CHOLLIMA have specialized in financial gain via cryptocurrency theft. GOLDEN CHOLLIMA maintains a consistent operational tempo, targeting fintech firms in developed regions with "recruitment fraud" lures and cloud-focused tradecraft. PRESSURE CHOLLIMA, however, is the "high-roller" unit, pursuing massive, opportunistic heists globally with highly sophisticated, low-prevalence implants like Scuzzyfuss and TwoPence Electric.
Security Officer Comments:
This evolution highlights a move toward extreme specialization in North Korean operations. This is not just a change in naming conventions; it reflects a "business-unit" approach where different teams develop bespoke toolkits for specific victim environments. For our members in the defense and industrial sectors, the refined focus of the core LABYRINTH CHOLLIMA group is particularly concerning. Their shift toward leveraging Chromium zero-days and WhatsApp-based delivery of trojanized applications demonstrates a level of persistence that bypasses traditional email-centric defenses.
Furthermore, the rise of "recruitment fraud" and the infiltration of "North Korean IT workers" (often associated with GOLDEN CHOLLIMA) represents a significant supply chain and insider threat risk. These actors are no longer just trying to break into your network; they are trying to get hired into it. For organizations the impact of a successful breach by any of these units is severe, ranging from the loss of proprietary industrial designs and aerospace schematics to the direct theft of digital assets and the potential for destructive "wiper" activity if the regime’s priorities shift toward retaliation.
Suggested Corrections:
To defend against these evolving threats, organizations should adopt a multi-layered defense strategy that addresses both the technical and human elements of the attack surface.
Personnel & Identity Verification:
Technical & Network Security:
Link(s):
https://www.crowdstrike.com/en-us/blog/labyrinth-chollima-evolves-into-three-adversaries/
CrowdStrike has re-evaluated the activity of LABYRINTH CHOLLIMA (historically associated with the "Lazarus Group") and determined that the entity has fractured into three distinct operational subgroups: GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and a refined core LABYRINTH CHOLLIMA. While all three share a common lineage and occasionally use overlapping infrastructure, they have diverged significantly in their mission sets and malware. The core LABYRINTH CHOLLIMA remains focused on high-stakes espionage, specifically targeting the defense, aerospace, and manufacturing sectors. In contrast, GOLDEN CHOLLIMA and PRESSURE CHOLLIMA have specialized in financial gain via cryptocurrency theft. GOLDEN CHOLLIMA maintains a consistent operational tempo, targeting fintech firms in developed regions with "recruitment fraud" lures and cloud-focused tradecraft. PRESSURE CHOLLIMA, however, is the "high-roller" unit, pursuing massive, opportunistic heists globally with highly sophisticated, low-prevalence implants like Scuzzyfuss and TwoPence Electric.
Security Officer Comments:
This evolution highlights a move toward extreme specialization in North Korean operations. This is not just a change in naming conventions; it reflects a "business-unit" approach where different teams develop bespoke toolkits for specific victim environments. For our members in the defense and industrial sectors, the refined focus of the core LABYRINTH CHOLLIMA group is particularly concerning. Their shift toward leveraging Chromium zero-days and WhatsApp-based delivery of trojanized applications demonstrates a level of persistence that bypasses traditional email-centric defenses.
Furthermore, the rise of "recruitment fraud" and the infiltration of "North Korean IT workers" (often associated with GOLDEN CHOLLIMA) represents a significant supply chain and insider threat risk. These actors are no longer just trying to break into your network; they are trying to get hired into it. For organizations the impact of a successful breach by any of these units is severe, ranging from the loss of proprietary industrial designs and aerospace schematics to the direct theft of digital assets and the potential for destructive "wiper" activity if the regime’s priorities shift toward retaliation.
Suggested Corrections:
To defend against these evolving threats, organizations should adopt a multi-layered defense strategy that addresses both the technical and human elements of the attack surface.
Personnel & Identity Verification:
- Enhanced Vetting: Given the prevalence of recruitment fraud, HR and security teams should implement rigorous identity verification for remote workers, including live video interviews and cross-referencing background checks with physical documentation.
- Insider Threat Monitoring: Monitor for the use of unauthorized remote desktop software (e.g., AnyDesk, RustDesk) or suspicious lateral movement shortly after a new hire joins, especially in IT or development roles.
Technical & Network Security:
- Cloud Infrastructure Hardening: Since GOLDEN CHOLLIMA is pivoting to cloud environments, organizations must prioritize the security of Identity and Access Management (IAM) configurations. Enforce the Principle of Least Privilege (PoLP) and implement multi-factor authentication (MFA) that is resistant to phishing (e.g., FIDO2 keys).
- Zero-Day & Browser Protection: With the group’s documented use of Chromium zero-days, ensure that browser updates are forced across the enterprise immediately upon release. Consider using browser isolation technologies for high-risk users.
- Messaging Security: Educate employees on the risks of receiving files via non-traditional channels like WhatsApp or LinkedIn, which are being used to bypass email gateways. Implement endpoint detection and response (EDR) solutions that can identify and block the execution of malicious ZIP files and trojanized applications.
Link(s):
https://www.crowdstrike.com/en-us/blog/labyrinth-chollima-evolves-into-three-adversaries/