Labyrinth Chollima

Threat Actor updated 3 months ago (2024-08-31T23:17:42.912Z)

Download STIX

Preview STIX

Labyrinth Chollima, a threat actor linked to North Korea, has been active since 2009 and is known for conducting operations aimed at collecting political, military, and economic intelligence on North Korea’s foreign adversaries, as well as currency generation campaigns. This group, also known by various other names including Hidden Cobra, BeagleBoyz, Lazarus Group, APT-C-26, Zinc, Black Artemis, and UNC4736, has targeted numerous industries worldwide, such as academia, energy, government, healthcare, media, retail, technology, aerospace, agriculture, cryptocurrency, defense, industrials and engineering, military, national government, opportunistic, pharmaceuticals, and art. Their activities have impacted countries globally including Argentina, Australia, Belgium, Brazil, Canada, China, Denmark, Norway, Estonia, Germany, Hungary, India, Ireland, Israel, Italy, Japan, Netherlands, New Zealand, Poland, Russia, Saudi Arabia, Singapore, South Korea, Spain, Sweden, Turkey, Ukraine, the United Kingdom, and the United States. In March 2023, Labyrinth Chollima was implicated in a supply chain attack against VoIP software maker 3CX, with follow-on attacks on 3CX customers concentrated in the cryptocurrency industry. The attribution of this attack to Labyrinth Chollima was based on similarities in the malicious code employed in the campaign. The group's actions have been tracked by several security companies under different names, including Temp.Hermit and Diamond Sleet. This intrusion was attributed to Labyrinth Chollima, a subunit of the notorious Lazarus Group, the North Korean government hacking unit known for stealthy hacks targeting cryptocurrency exchanges. The threat actor has also exploited vulnerabilities such as the Google Chrome zero-day CVE-2024-7971 to deploy the FudModule rootkit, according to Microsoft. It is one of the most prolific Democratic People’s Republic of Korea adversaries tracked by CrowdStrike. The group's activities overlap with those of other North Korean-linked groups such as Diamond Sleet, Temp.Hermit, and Citrine Sleet, indicating a possible collaboration or shared resources among these entities. Given the wide range of industries and countries targeted, it is clear that Labyrinth Chollima poses a significant global cybersecurity threat.

Description last updated: 2024-08-31T23:16:01.416Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Lazarus Group is a possible alias for Labyrinth Chollima. The Lazarus Group, a notorious North Korean state-sponsored threat actor, is among the most prolific and dangerous cyber threat actors in operation. The group has been involved in several high-profile cyber-attacks, including Operation DreamJob in Spain, with the primary objective of funding North K	5
Silent Chollima is a possible alias for Labyrinth Chollima. Silent Chollima, also known as Stonefly or APT45, is a threat actor with links to North Korea's foreign intelligence agency, the 3rd Bureau of the Foreign Intelligence and Reconnaissance General Bureau. The group has been active since at least 2015, when it began shifting its objectives. Silent Chol	2
Unc4736 is a possible alias for Labyrinth Chollima. UNC4736, a threat actor suspected to have North Korean connections, has been implicated in a series of cybersecurity breaches. The group gained initial access to the 3CX environment when an employee downloaded a financial trading package named X_TRADER from Trading Technologies' website. Unbeknownst	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Crowdstrike

Jumpcloud

Apt

Korean

Pypi

Ransomware

Exploit

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The WannaCry Malware is associated with Labyrinth Chollima. WannaCry is a type of malware, specifically ransomware, that made headlines in 2017 as one of the most devastating cyberattacks in recent history. The WannaCry ransomware exploited vulnerabilities in Windows' Server Message Block protocol (SMBv1), specifically CVE-2017-0144, CVE-2017-0145, and CVE-2	Unspecified	2

Source Document References

Information about the Labyrinth Chollima Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	3 months ago	North Korea-linked APT Citrine Sleet exploit Chrome zero-day to deliver FudModule rootkit - Security Affairs
CERT-EU	a year ago	MOVEit, Capita, CitrixBleed and more: The biggest data breaches of 2023 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
MITRE	a year ago	Adversary: Labyrinth Chollima - Threat Actor \| Crowdstrike Adversary Universe
CERT-EU	a year ago	BitCoins To Bombs: North Korea Funds Military With Billions In Stolen Cryptocurrency - The Security Ledger with Paul F. Roberts
Securityaffairs	a year ago	Lazarus is using a MagicLine4NX zero-day in supply chain attack
CERT-EU	a year ago	Hackers exploit MagicLine4NX zero-day in supply-chain attack
BankInfoSecurity	a year ago	North Korean Hacking Alert Sounded by UK and South Korea
CERT-EU	a year ago	New North Korean supply chain attack spreads via malicious CyberLink app
CERT-EU	a year ago	N. Korean Hackers Distribute Trojanized CyberLink Software in Supply Chain Attack
CERT-EU	a year ago	Diamond Sleet supply chain compromise distributes a modified CyberLink installer \| Microsoft Security Blog
CERT-EU	a year ago	Microsoft Warns of North Korean Attacks Exploiting JetBrains TeamCity Flaw
CERT-EU	a year ago	Qualys Survey of Top 10 Exploited Vulnerabilities in 2023 \| Qualys Security Blog
CERT-EU	a year ago	North Korean Hackers Exploit Zero-Day Bug to Target Cybersecurity Researchers
Securityaffairs	a year ago	Security Affairs newsletter Round 435 by Pierluigi Paganini
CERT-EU	a year ago	VMConnect campaign linked to North Korea's Lazarus Group
CERT-EU	a year ago	Cyber Security Week in Review: September 1, 2023
Securityaffairs	a year ago	Labyrinth Chollima behind PyPI supply chain attacks
CERT-EU	a year ago	North Korean Hacker Group Breached US IT Firm JumpCloud
CERT-EU	a year ago	Cyber Security Week In Review: July 21, 2023
Securityaffairs	a year ago	Experts believe North Korea behind JumpCloud supply chain attack