Hawup

Hawup is a malware framework referenced as a common ancestral codebase within the DPRK-linked Labyrinth Chollima ecosystem. Reporting cited in the content states that Golden Chollima, Pressure Chollima, and the core espionage-focused Labyrinth Chollima group followed independent malware development trajectories while originating from the Hawup framework, alongside shared roots in the KorDLL framework. This positions Hawup as part of the shared tactical DNA underpinning later DPRK malware families and operations rather than as a standalone campaign-specific implant described in detail here. The associated threat actors are North Korea-linked clusters tracked by CrowdStrike: Golden Chollima and Pressure Chollima, which are focused on cryptocurrency theft, and core Labyrinth Chollima, which is focused on espionage. The broader ecosystem derived from Hawup has been used against cryptocurrency and fintech organizations, as well as defense, aerospace, manufacturing, logistics, shipping, maritime, military, nuclear, and critical infrastructure targets. Initial access and delivery tradecraft observed across these related clusters includes employment-themed social engineering, trojanized legitimate software, malicious ZIP archives delivered via WhatsApp, and malicious Node.js and Python projects or packages. The content does not provide specific Hawup-only indicators of compromise, payload behavior, persistence mechanisms, or platform details beyond its role as a shared framework lineage.