Labyrinth Chollima Evolves Into Three North Korean Hacking Groups

The emergence of three separate entities—Labyrinth Chollima, Golden Chollima, and Pressure Chollima—marks a strategic re‑organization within North Korea’s state‑sponsored cyber arsenal. CrowdStrike’s analysis shows the groups still draw from a common malware lineage that began with the KorDLL framework in the late 2000s, now manifested as Hoplight, Jeus, and MataNet. While Labyrinth Chollima retains its traditional espionage focus, the split allows the regime to allocate specialized resources, streamline operations, and obscure attribution, complicating the work of defenders worldwide.

Golden Chollima and Pressure Chollima have pivoted toward the lucrative cryptocurrency ecosystem, a trend that reflects North Korea’s need for hard‑currency revenue under sanctions. Golden Chollima conducts low‑profile, repeat thefts using cloud‑centric tradecraft and recruitment‑fraud lures, while Pressure Chollima pursues high‑value, opportunistic heists with bespoke implants. Their distinct toolsets—Jeus and MataNet—enable rapid deployment across exchanges, DeFi platforms, and wallet services, increasing the attack surface for financial institutions. The diversification of tactics forces crypto firms to adopt advanced threat‑intel feeds and zero‑trust architectures to mitigate persistent nation‑state pressure.

The continued sharing of infrastructure among the three Chollima factions signals a centralized command that can reallocate capabilities on demand, blurring the line between espionage and financial crime. For defenders, this means threat‑intelligence platforms must correlate indicators across both industrial and crypto domains to spot cross‑group activity. Governments are likely to tighten sanctions and pursue diplomatic channels to pressure Pyongyang, but technical countermeasures—such as sandboxing new Hoplight binaries and monitoring Jeus C2 traffic—remain the most immediate defense. Monitoring the evolution of these groups will be critical for anticipating the next wave of state‑backed cyber operations.