One of North Korea’s longest‑running and most sophisticated cyber operations has undergone a major structural shift, according to new threat intelligence published by CrowdStrike. The group known as LABYRINTH CHOLLIMA, active since at least 2009, has now evolved into three separate but interconnected adversaries—each with its own mission focus, malware toolsets, and operational tempo.
CrowdStrike’s latest analysis confirms that the original LABYRINTH CHOLLIMA operation now functions alongside two newly defined groups: GOLDEN CHOLLIMA and PRESSURE CHOLLIMA. While the three entities operate independently, they continue to share infrastructure, tools, and tradecraft, indicating a centralized command structure within the DPRK cyber ecosystem.
Espionage and Cryptocurrency Theft: Diverging Missions
The core LABYRINTH CHOLLIMA group remains focused on cyber espionage, targeting sectors such as industrial manufacturing, logistics, and defense. These operations align with North Korea’s long‑standing intelligence priorities and its need to gather sensitive geopolitical and military information.
In contrast, GOLDEN CHOLLIMA and PRESSURE CHOLLIMA have shifted toward financially motivated cybercrime, particularly targeting global cryptocurrency firms. GOLDEN CHOLLIMA is believed to focus on fintech and cryptocurrency platforms worldwide, while PRESSURE CHOLLIMA has been linked to attacks on centralized exchanges and several record‑breaking crypto heists.
This diversification allows North Korea to pursue multiple strategic objectives simultaneously—from intelligence collection to revenue generation—while maintaining operational resilience.
Shared Roots, Evolving Toolsets
Although the three groups now operate as distinct adversaries, their malware frameworks share a common lineage. CrowdStrike notes that each group uses evolved variants of the same malware families that LABYRINTH CHOLLIMA deployed throughout the 2000s and 2010s. This continuity underscores the DPRK’s long‑term investment in scalable, adaptable cyber capabilities.
A Deliberate Strategic Reorganization
Security analysts view this split as a deliberate reorganization rather than a natural fragmentation. By distributing responsibilities across multiple units, North Korea can increase operational efficiency, reduce detection risk, and expand its global reach. The model mirrors patterns previously observed in other DPRK‑linked groups, including the broader Lazarus ecosystem.
Implications for Global Cybersecurity
The emergence of three coordinated adversaries significantly raises the threat level for governments, critical infrastructure operators, and cryptocurrency businesses worldwide. With specialized missions and shared resources, the CHOLLIMA groups represent a more agile and potent threat than ever before.
As these adversaries continue to evolve, organizations must strengthen threat intelligence, enhance monitoring, and adopt proactive defense strategies to counter the expanding capabilities of North Korea’s cyber apparatus.