HIDDEN COBRA, BeagleBoyz, Lazarus Group, APT-C-26, Zinc, Black Artemis
Labyrinth Chollima is one of the most prolific Democratic People’s Republic of Korea (DPRK) adversaries tracked by CrowdStrike and has been active since 2009.
CrowdStrike assesses this adversary is likely affiliated with Bureau 121 of the DPRK’s Reconnaissance General Bureau (RGB) and has remit to collect political, military, and economic intelligence on North Korea’s foreign adversaries and conduct currency generation campaigns.
Labyrinth Chollima maintains an extensive toolset consisting of implants targeting Windows, Linux, MacOS, and Android operating systems. In 2020, CrowdStrike Intelligence observed the deployment of a steady stream of nearly a dozen new implants, suggesting this adversary appears to be in a constant state of malware development.
LABYRINTH CHOLLIMA’s Hawup, first observed operationally in 2015, defines the contours of this adversary’s modern activity. Nearly all of LABYRINTH CHOLLIMA’s tools bear some relation to Hawup—either directly or indirectly.
Notably, there are numerous technical overlaps between LABYRINTH CHOLLIMA and STARDUST CHOLLIMA malware, indicating the two adversaries likely work in close collaboration and had access to the same code framework prior to subsequent tooling divergence increasingly observed between these adversaries.
Starting in 2020 and continuing through 2021, LABYRINTH CHOLLIMA has used Twitter personas to contact entities in the technology vertical and enticed them to execute malware on their machines. Delivered malware bears significant similarities with LABYRINTH CHOLLIMA’s Milt remote access tool (RAT) and Hoplight. Moreover, the use of social media for spear phishing is a tactic CrowdStrike Intelligence frequently observes from LABYRINTH CHOLLIMA.
- Industrials and Engineering
- National Government
Crowdstrike Labyrinth Chollima
I have read and accept the terms and conditions