Pressure Chollima
Pressure Chollima is a DPRK-linked threat actor tracked by CrowdStrike as a distinct organizational unit within the North Korean cyber apparatus and as a subgroup that split from the broader Labyrinth Chollima cluster. It is also referred to as JadeSleet and TraderTraitor in the provided content. CrowdStrike describes Pressure Chollima as one of North Korea’s most technically advanced threat groups. The group is financially motivated and focused on high-payout cryptocurrency theft, particularly against organizations with significant digital asset holdings. It is described as conducting sophisticated, highly targeted intrusions into large and centralized cryptocurrency exchanges, pursuing high-value heists regardless of geography, and being responsible for the DPRK’s highest-profile cryptocurrency heists, including the two largest cryptocurrency thefts on record. The content also attributes a record-breaking $1.46 billion cryptocurrency theft to Pressure Chollima. Pressure Chollima is associated with technically sophisticated, low-prevalence implants and malware including SwDownloader, SparkDownloader, Scuzzyfuss, and Twopence Electric. The content states that its divergence from Labyrinth Chollima likely began in early 2019 with SwDownloader, which was quickly replaced by SparkDownloader, also referred to as TraderTraitor. Recent campaigns are described as using malicious Node.js and Python projects to deliver Scuzzyfuss and Twopence Electric. Within CrowdStrike’s reporting, Pressure Chollima is one of three clusters that emerged from Labyrinth Chollima, alongside Golden Chollima and the core espionage-focused Labyrinth Chollima unit. Although operationally distinct, these groups reportedly continue to share tools, infrastructure, and tradecraft rooted in the KorDLL and Hawup frameworks, indicating centralized coordination within the DPRK cyber ecosystem. Common tradecraft mentioned across these DPRK clusters includes supply chain compromise, HR-themed social engineering, trojanized legitimate software, and malicious Node.js and Python packages.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Financial Services
Where they're from
Attributed origin per open-source reporting.
- KP
Tradecraft
3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
5 malware families attributed to this actor across reporting.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
DPRK-aligned threat actor conducting sophisticated, targeted intrusions into large cryptocurrency exchanges.
North Korean cluster conducting high-value cryptocurrency heists using advanced implants against organizations with substantial digital asset holdings.
Technically advanced DPRK-linked subgroup focused on high-value cryptocurrency theft, including large-scale heists against centralized exchanges using sophisticated implants; part of the restructured Labyrinth Chollima ecosystem with shared resources.
North Korea-linked activity cluster focused on high-value cryptocurrency theft; described as highly technically advanced and responsible for a major ($1.46B) crypto heist.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.