Researchers Tracks Three Groups Emerging From LABYRINTH CHOLLIMA
Published on January 29, 2026
Key Takeaways
- Three groups: Activity linked to LABYRINTH CHOLLIMA now maps to three distinct adversaries.
- Focus: Two groups prioritize cryptocurrency revenue, while core operations remain focused on espionage.
- Shared infrastructure: The groups continue sharing tools, malware frameworks, and operational tradecraft.
A new threat research has found that threat actors tracked as LABYRINTH CHOLLIMA involve three groups coordinating with varying focuses on revenue generation and cyber espionage.
Researchers tracked GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and LABYRINTH CHOLLIMA with distinct malware, objectives, and tradecraft, while sharing infrastructure and tools.
GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and LABYRINTH CHOLLIMA Objectives
Researchers assess that LABYRINTH CHOLLIMA activity traces back to the KorDLL malware which was active between 2009 and 2015. They later led to the development of malware families like Dozer, Brambul, Joanap, KorDLL Bot, and Koredos, before evolving into the Hawup and TwoPence frameworks.
The Hawup framework is an espionage-focused malware toolset linked to LABYRINTH CHOLLIMA.
Operation and Structure
The three subgroups emerged from the Hawup framework between 2018 and 2020. The following structure shows the groups’ operations with origins and missions.
LABYRINTH CHOLLIMA
- Cyber espionage operations
- Targets industrial, logistics, and defense organizations in Europe, the U.S., Japan, and Italy
- Uses malware with a Hoplight lineage
- Employment-themed social engineering, zero-day exploitation and WhatsApp-delivered malicious ZIP files
GOLDEN CHOLLIMA
- Focuses on cryptocurrency and fintech entities across the U.S., Canada, South Korea, India, and Western Europe.
- Conducts theft operations
- Uses malware frameworks such as Jeus and AppleJeus via duplicate cryptocurrency applications
- Observed leveraging Chromium zero-day exploits, including SnakeBaker and NodalBaker
- Cloud-focused tradecraft, including IAM abuse following recruitment fraud
PRESSURE CHOLLIMA
- Cryptocurrency theft
- Reflects higher technical complexity
- Uses malware including TwoPence Electric delivered via malicious Node.js and Python projects
All three groups reuse infrastructure, including malware such as FudModule, which employs kernel-level manipulation.
“North Korea is probably one of the top-notch actors out there. What we’re seeing down range is now aligned with what we’ve seen from a bureaucratic perspective up range. Over time, as their mission was successful, the bureaucracy grew and the scope of the mission grew, and obviously the organization grew. They’ve been operating a resistance economy for many, many years and cyber gives them the ability to do this deniably and at a distance," said Adam Meyers, Head of Counter Adversary Operations at CrowdStrike, commenting on the organizational maturation and specialization reflected in the three-group model.
Mitigation Guidelines
Researchers outlined the following steps based on their tradecraft:
LABYRINTH CHOLLIMA
- Cross-check all employment-themed communications delivered via messaging platforms
- Patching vulnerabilities particularly zero-day and kernel-level flaws
- Enable stricter restrictions around defense and manufacturing environments
- Monitor and prevent WhatsApp and messaging-platform file transfers, carrying ZIP archives containing trojanized applications.
GOLDEN CHOLLIMA
- Vet third-party and open-source Node.js and Python packages
- Monitor cloud IAM, privilege changes, and cryptocurrency wallet activity
- Promptly block execution of unverified cryptocurrency-related applications
PRESSURE CHOLLIMA
- Enforce multi-signature and time-locked cryptocurrency transfers
- Monitor for low-prevalence implants and suspicious outbound connections
- Isolate digital asset infrastructure from corporate networks
- Implement transaction monitoring and alerting thresholds for large or anomalous cryptocurrency transfers.
For organizations, it is important to pay closer attention to how software is introduced into the environment,particularly through third-party packages. Greater visibility into cloud and identity activity after an intrusion is also critical.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular