SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Crowdstrike
#
Malware
#
Manufacturing
#
Crypto

CrowdStrike splits LABYRINTH CHOLLIMA into three units

Fri, 30th Jan 2026
Author image
By Joseph Gabriel Lagonsin, News Editor

CrowdStrike has recast a long-running North Korea-linked intrusion set known as LABYRINTH CHOLLIMA as three separate adversaries, with two units focused on cryptocurrency theft and one focused on espionage against industrial and defence-linked organisations.

The security firm said the new assessment identifies GOLDEN CHOLLIMA and PRESSURE CHOLLIMA as groups that likely now operate separately from the core LABYRINTH CHOLLIMA unit. CrowdStrike said the three units show different objectives, malware development paths and operational tempo. It said they also share infrastructure and tools, which points to centralised coordination.

Three units

GOLDEN CHOLLIMA and PRESSURE CHOLLIMA target cryptocurrency and financial entities, CrowdStrike said. It described their operations as revenue-focused activity conducted at scale. The core LABYRINTH CHOLLIMA unit continues to run espionage operations, the company added. It said the group targets industrial, logistics and defence organisations.

"CrowdStrike Intelligence assesses that three distinct, highly specialized operational subgroups have emerged since 2018, each with specialized malware, objectives, and tradecraft," said CrowdStrike.

CrowdStrike said it reached the revised view after a "comprehensive re-evaluation of historical data". It said the new grouping represents a shift from its earlier attribution framework for LABYRINTH CHOLLIMA.

Origins claimed

CrowdStrike traced the activity back to the KorDLL malware framework, which it said was active between 2009 and 2015. It described KorDLL as a repository with implant templates, command-and-control protocols and libraries for common tasks.

The company said KorDLL produced malware families that included Dozer, Brambul, Joanap, KorDLL Bot and Koredos. It said this work later evolved into the Hawup framework used by LABYRINTH CHOLLIMA. It also referenced the TwoPence framework used by another DPRK-linked unit it tracks as STARDUST CHOLLIMA.

CrowdStrike said three operational subgroups emerged from the Hawup framework between 2018 and 2020. It said the operational differences justify tracking them as distinct adversaries rather than specialised teams under a single umbrella.

Crypto operations

For GOLDEN CHOLLIMA, CrowdStrike said the group targets economically developed regions with significant cryptocurrency and fintech presence. It listed the US, Canada, South Korea, India and Western Europe. It said the group typically conducts smaller-value thefts at a more consistent tempo.

It said GOLDEN CHOLLIMA activity originated with Jeus in 2018. It said Jeus masqueraded as a cryptocurrency application. It said the application purported to come from a fictitious company called Celas Limited. CrowdStrike said it has observed eight variants of Jeus and AppleJeus, a macOS variant.

CrowdStrike said GOLDEN CHOLLIMA has used cloud-focused tradecraft. It said that in late 2024 the group delivered malicious Python packages via recruitment fraud to a European fintech company. It said the intruders pivoted into the victim's cloud environment and accessed IAM configurations. It said they ultimately diverted cryptocurrency to adversary-controlled wallets.

CrowdStrike also said it has observed GOLDEN CHOLLIMA using Chromium zero-days to deliver malware. It said its OverWatch threat hunting team detected deployments of SnakeBaker and its JS variant NodalBaker at fintech firms throughout June 2025.

For PRESSURE CHOLLIMA, CrowdStrike said the unit conducted the DPRK's highest-profile cryptocurrency heists, including the two largest cryptocurrency thefts on record. It cited public reporting that links additional thefts ranging from USD $52 million to USD $120 million to the same actor based on reused cryptocurrency wallets.

CrowdStrike said PRESSURE CHOLLIMA differs from GOLDEN CHOLLIMA in operational pattern. It said PRESSURE CHOLLIMA pursues high-payout opportunities regardless of geography. It said the unit focuses on organisations with significant digital asset holdings. The company said PRESSURE CHOLLIMA deploys low-prevalence implants and sits among the DPRK's most technically advanced adversaries.

CrowdStrike said PRESSURE CHOLLIMA operations likely diverged from LABYRINTH CHOLLIMA in February 2019. It said this coincided with the experimental SwDownloader deployment. It said SparkDownloader later replaced it. It added that public tracking refers to SparkDownloader as TraderTraitor. It said recent campaigns used malicious Node.js and Python projects to deliver Scuzzyfuss and TwoPence Electric malware.

Espionage focus

CrowdStrike said it now tracks LABYRINTH CHOLLIMA more narrowly as an espionage operation. It said it ties to malware with a Hoplight lineage. It said modern LABYRINTH CHOLLIMA operations emerged in 2020, around the same period as the divergence of GOLDEN and PRESSURE CHOLLIMA.

The company highlighted FudModule as a major development, with an emergence it placed in 2022. It said FudModule uses direct kernel manipulation for stealth. It said it has leveraged zero-day exploits in vulnerable drivers, Chrome and Windows. It also said GOLDEN CHOLLIMA has reportedly used FudModule, which indicates shared access to tools.

CrowdStrike said LABYRINTH CHOLLIMA prioritises manufacturing and defence targets. It said it has targeted European defence entities. It said it has also targeted US, Japanese and Italian manufacturing organisations. It said that across 2024 and into 2025 it observed persistent targeting of European aerospace corporations with employment-themed lures and zero-day exploitation against defence manufacturers.

It added that in the first half of 2025 it observed a growing interest in logistics and shipping companies. It also said the adversary targeted US manufacturing companies, including critical infrastructure in areas such as hydroelectric power.

CrowdStrike said WhatsApp messaging has emerged as a primary initial compromise vector for LABYRINTH CHOLLIMA, with malicious ZIP files that contain trojanised applications. It said the actor has continued to use employment-themed social engineering in multiple campaigns.

"Shared infrastructure elements and tool cross-pollination indicate these units maintain close coordination," said CrowdStrike.

CrowdStrike said it expects financial motivation behind GOLDEN CHOLLIMA and PRESSURE CHOLLIMA operations to intensify as international sanctions continue to pressure the DPRK economy.

Related stories
Arctic Wolf unveils Aurora managed endpoint tools for MSPs
Gartner warns misconfigured AI could halt G20 power
Okta warns of North Korean fraud in remote tech hiring
CBA warns young Aussies of fake job and dating scam losses
McAfee warns Australians of AI-fuelled Valentine scams

Top stories

Securing the digital classroom: A layered cybersecurity approach for K-12 schools
D-Link taps Dicker Data to grow converged security reach
LummaStealer returns post-takedown with ClickFix ruse
Proofpoint buys Acuvity to secure AI agents at work
Okta unveils tools to detect & govern shadow AI risks