LABYRINTH CHOLLIMA Evolves into Three Adversaries

GOLDEN CHOLLIMA

Shared infrastructure elements and tool cross-pollination indicate these units maintain close coordination. All three adversaries employ remarkably similar tradecraft — including supply chain compromises, HR-themed social engineering campaigns, trojanized legitimate software, and malicious Node.js and Python packages — that reflects their common origins in the KorDLL and Hawup frameworks. 
GOLDEN CHOLLIMA’s recent operations demonstrate cloud-focused tradecraft. In late 2024, the adversary delivered malicious Python packages via recruitment fraud to a European fintech company. They pivoted to the victim’s cloud environment to access IAM configurations and associated cloud resources, and ultimately managed to divert the victim’s cryptocurrency to adversary-controlled wallets. 
LABYRINTH CHOLLIMA’s segmentation into specialized operational units represents a strategic evolution that enhances the DPRK regime’s ability to simultaneously pursue multiple objectives.
Unlike GOLDEN CHOLLIMA’s consistent operations, PRESSURE CHOLLIMA pursues high-payout opportunities regardless of geography, focusing on organizations with significant digital asset holdings. PRESSURE CHOLLIMA deploys sophisticated, low-prevalence implants and has evolved into one of the DPRK’s most technically advanced adversaries.

PRESSURE CHOLLIMA

Organizations in the cryptocurrency, fintech, defense, and logistics sectors should practice heightened vigilance for DPRK social engineering campaigns, particularly employment-themed lures and trojanized legitimate software delivered via messaging platforms.
CrowdStrike Intelligence assesses these three groups very likely operate as distinct organizational units within the DPRK cyber apparatus. This assessment is made with high confidence and supported by specialized malware development, distinct targeting patterns, and differences in operational tempo. 
The adversary’s malware originates with Jeus in 2018 (and its macOS variant, AppleJeus), which originally masqueraded as a cryptocurrency application purportedly developed by the fictitious company Celas Limited. CrowdStrike Intelligence has observed eight different Jeus and AppleJeus variants in campaigns targeting cryptocurrency entities as well as shellcode overlaps between PipeDown, DevobRAT, HTTPHelper, and Anycon — forming a specialized fintech targeting toolkit.

LABYRINTH CHOLLIMA Moving Forward

These three adversaries remain fundamentally interconnected through shared tactical DNA and collaborative infrastructure. The cross-pollination of tools such as FudModule in GOLDEN CHOLLIMA and LABYRINTH CHOLLIMA operations, combined with malware families’ code similarities among these adversaries, demonstrates how these adversaries continue to operate as components of a unified strategic apparatus despite their distinct mission sets. 
LABYRINTH CHOLLIMA operations prioritize targets in the manufacturing and defense sectors, particularly European defense entities and U.S., Japanese, and Italian manufacturing organizations. Throughout 2024 and into 2025, LABYRINTH CHOLLIMA persistently targeted European aerospace corporations using employment-themed lures and exploited zero-day vulnerabilities against defense manufacturers. In the first half of 2025, CrowdStrike Intelligence also observed a growing interest by LABYRINTH CHOLLIMA in logistics and shipping companies. The adversary has also targeted U.S.-based manufacturing companies, including critical infrastructure entities in specialized areas such as hydroelectric power. 
PRESSURE CHOLLIMA conducted the DPRK’s highest-profile cryptocurrency heists, including the two largest cryptocurrency thefts on record. Public reporting links additional high-value thefts ranging from million USD to 0 million USD to PRESSURE CHOLLIMA based on reused cryptocurrency wallets.²
GOLDEN CHOLLIMA targets economically developed regions with significant cryptocurrency and fintech presence, including the U.S., Canada, South Korea, India, and Western Europe. The adversary typically conducts smaller-value thefts at a more consistent operational tempo, suggesting responsibility for ensuring baseline revenue generation for the DPRK regime. 

Outlook

The 2022 emergence of FudModule represents a significant development for LABYRINTH CHOLLIMA’s malware capabilities. FudModule employs direct kernel manipulation for stealth and has leveraged zero-day exploits in vulnerable drivers, Chrome, and Windows. GOLDEN CHOLLIMA has also reportedly used FudModule, indicating shared tool access despite operational separation.³
The financial motivation for GOLDEN CHOLLIMA and PRESSURE CHOLLIMA operations will likely intensify as international sanctions continue to cripple the DPRK’s economy. Despite improving trade relations with Russia, the DPRK requires additional revenue to fund ambitious military plans that include constructing new destroyers, building nuclear-powered submarines, and launching additional reconnaissance satellites.⁴
LABYRINTH CHOLLIMA’s 2025 operations have demonstrated diverse delivery mechanisms. WhatsApp messaging — which the adversary has used to deliver malicious ZIP files containing trojanized applications — has emerged as a primary initial compromise vector. Likely due to the method’s high success rate, the adversary has used employment-themed social engineering in multiple campaigns, tailoring lures to target specific industries and roles.
CrowdStrike Intelligence now tracks LABYRINTH CHOLLIMA more narrowly as espionage operations using malware with a Hoplight lineage. Modern LABYRINTH CHOLLIMA operations emerged in 2020, coinciding with GOLDEN and PRESSURE CHOLLIMA’s divergence, likely indicating that blockchain malware experts and intelligence collection specialists moved into separate units.
CrowdStrike Intelligence has also observed GOLDEN CHOLLIMA leveraging Chromium zero-days to deliver malware, and CrowdStrike OverWatch threat hunting detected several deployments of SnakeBaker and its JS variant NodalBaker at fintech firms throughout June 2025.
PRESSURE CHOLLIMA operations likely diverged from LABYRINTH CHOLLIMA in February 2019 with experimental SwDownloader deployment, quickly replaced by SparkDownloader (tracked publicly as TraderTraitor). Recent campaigns leverage malicious Node.js and Python projects to deliver Scuzzyfuss and TwoPence Electric malware.