Skip to main content
Mallory
Back to threat actors
North Korea🇰🇵 KP9 malware families

Golden Chollima

Also known asGolden Chollima

GOLDEN CHOLLIMA is a North Korea-linked threat actor assessed to operate as a distinct organizational unit within the DPRK cyber apparatus and to have emerged from the broader LABYRINTH CHOLLIMA cluster around 2018–2020. CrowdStrike describes it as one of the LABYRINTH CHOLLIMA spin-off groups focused on cryptocurrency theft, while the core LABYRINTH CHOLLIMA group shifted toward espionage. The group is described as conducting steady, smaller-value cryptocurrency thefts for baseline revenue generation, targeting economically developed regions with strong cryptocurrency and fintech sectors, including the United States, Canada, South Korea, India, and Western Europe. Reported targets include fintech firms in the U.S., South Korea, and Europe. Its malware lineage includes Jeus and the macOS variant AppleJeus, originally masquerading as cryptocurrency software from the fictitious company Celas Limited. CrowdStrike observed multiple Jeus and AppleJeus variants used against cryptocurrency entities. GOLDEN CHOLLIMA is also described as using malicious Python packages delivered through recruitment fraud to gain access to victim environments, including cloud environments where it manipulated IAM-related resources and diverted cryptocurrency to adversary-controlled wallets. Additional tooling and malware associated with the group in the provided content include SnakeBaker and the JavaScript variant NodalBaker. The content also states that GOLDEN CHOLLIMA has exploited Chromium zero-days and that some variants show shellcode overlaps with PipeDown, DevobRAT, HTTPHelper, and Anycon. The group shares tools, infrastructure, and tradecraft with LABYRINTH CHOLLIMA and PRESSURE CHOLLIMA, indicating centralized coordination within the DPRK ecosystem. Shared tradecraft mentioned in the content includes supply chain compromise, HR- or employment-themed social engineering, trojanized legitimate software, and malicious Node.js and Python packages. The content also notes that GOLDEN CHOLLIMA has reportedly used FudModule, further indicating tool sharing across related DPRK clusters. Known related groups and aliases directly mentioned in the content are LABYRINTH CHOLLIMA and PRESSURE CHOLLIMA as associated clusters spawned from the broader LABYRINTH CHOLLIMA activity.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Financial Services

Where they're from

Attributed origin per open-source reporting.

  • KP
MITRE ATT&CK

Tradecraft

8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

5 of 15 tactics11 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
1 technique
T1588
Obtain Capabilities
T1588.002
Tool
TA0001
Initial Access
3 techniques
T1195×2
Supply Chain Compromise
T1199
Trusted Relationship
T1566
Phishing
T1566.002
Spearphishing Link
TA0002
Execution
1 technique
T1204
User Execution
T1204.002
Malicious File
TA0005
Stealth
1 technique
T1036
Masquerading
TA0112
Defense Impairment
1 technique
T1553
Subvert Trust Controls
T1553.001
Gatekeeper Bypass
ARSENAL

Associated malware families

9 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
AnyconSubsequent variants exhibit shellcode overlaps with Pipedown, Devobrat, Httphelper, and Anycon.1Mar 8, 2026
DevobratSubsequent variants exhibit shellcode overlaps with Pipedown, Devobrat, Httphelper, and Anycon.1Mar 8, 2026
FudModuleThe 2022 introduction of Fudmodule advanced capabilities through direct kernel manipulation and zero-day exploitation in vulnerable drivers, Chrome, and Windows.1Mar 8, 2026
Hawup...each following independent malware development trajectories while originating from the Hawup framework.1Mar 8, 2026
HttphelperSubsequent variants exhibit shellcode overlaps with Pipedown, Devobrat, Httphelper, and Anycon.1Mar 8, 2026

4 additional families tracked in Mallory.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
the hacker newsNews
Feb 10, 2026
DPRK Operatives Impersonate Professionals on LinkedIn to Infiltrate Companies

North Korean cluster focused on repeated smaller-scale cryptocurrency theft operations in economically developed regions.

Read more
security online infoNews
Feb 3, 2026
Hydra Tactics: North Korea's LABYRINTH CHOLLIMA Splits to Hunt Crypto & Secrets

Financially motivated DPRK-linked subgroup focused on steady, smaller-value cryptocurrency theft, including wallet-draining operations against fintech/crypto targets; shares tooling with the broader Labyrinth Chollima ecosystem and has been observed using advanced components like FudModule.

Read more
cyberscoopNews
Jan 29, 2026
Long-running North Korea threat group splits into 3 distinct operations | CyberScoop

North Korea-linked activity cluster focused on cryptocurrency theft to generate revenue for the regime and fund cyber operations.

Read more
polyswarmNews
Feb 6, 2026
Labyrinth Chollima Expands Activity, Spawns Offshoots

Cryptocurrency/fintech theft-focused DPRK cluster emphasizing steady, smaller-scale thefts in economically advanced regions; uses trojanized crypto software lures, malicious Python packages (including via recruitment fraud), Chromium zero-days, and fintech-targeted malware families.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping8

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal9

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.