Httphelper

HTTPHelper is malware associated with DPRK-linked GOLDEN CHOLLIMA activity. The provided content does not describe its standalone functionality in detail, but it explicitly notes shellcode overlaps between HTTPHelper and other malware including PipeDown, DevobRAT, and Anycon, indicating it is part of a shared or related malware toolkit used in cryptocurrency and fintech intrusions. GOLDEN CHOLLIMA is described as a North Korea-linked cluster focused on steady, smaller-scale cryptocurrency thefts, historically using Jeus/AppleJeus-style lures, recruitment fraud, malicious Python packages, and Chromium zero-days. The group targets economically advanced regions with significant cryptocurrency and fintech sectors, including the United States, Canada, South Korea, India, and Western Europe. In late 2024, GOLDEN CHOLLIMA reportedly used recruitment-themed malicious Python packages against a European fintech company, pivoted into the victim cloud environment to access IAM configurations and cloud resources, and diverted cryptocurrency to adversary-controlled wallets. The content also associates GOLDEN CHOLLIMA with deployments of SnakeBaker and NodalBaker at fintech firms. For HTTPHelper specifically, the only high-confidence detail provided is its overlap with this broader GOLDEN CHOLLIMA fintech-targeting malware ecosystem; no specific infection vector, platform, persistence mechanism, or indicators of compromise are directly provided for HTTPHelper itself in the content.