Overview
- CrowdStrike now tracks Labyrinth Chollima, Golden Chollima, and Pressure Chollima as distinct adversaries with specialized malware, missions, and tradecraft.
- Golden Chollima and Pressure Chollima focus on cryptocurrency theft, with Pressure linked to a record $1.46 billion heist, while the core Labyrinth unit prioritizes espionage.
- The three groups share tooling, code overlaps, and infrastructure connected to the broader Lazarus ecosystem, indicating centralized coordination despite separate missions.
- Targeting spans defense, aerospace, logistics, and U.S. critical infrastructure for Labyrinth; smaller fintech and cloud environments for Golden; and centralized crypto exchanges and major tech firms for Pressure across the U.S., Europe, East Asia, India, Canada, and South Korea.
- CrowdStrike traces the split to 2018–2020, publishes indicators and malware samples for defenders, and updates its count to eight DPRK-linked groups while detailing TTPs such as employment-themed lures, malicious WhatsApp messages, recruitment-fraud Python packages, cloud pivots, and low-prevalence implants.