Labyrinth Chollima

Threat Actor updated a month ago (2024-11-29T13:32:01.053Z)
Download STIX
Preview STIX
Labyrinth Chollima, a threat actor linked to North Korea, has been active since 2009 and is known for conducting operations aimed at collecting political, military, and economic intelligence on North Korea’s foreign adversaries, as well as currency generation campaigns. This group, also known by various other names including Hidden Cobra, BeagleBoyz, Lazarus Group, APT-C-26, Zinc, Black Artemis, and UNC4736, has targeted numerous industries worldwide, such as academia, energy, government, healthcare, media, retail, technology, aerospace, agriculture, cryptocurrency, defense, industrials and engineering, military, national government, opportunistic, pharmaceuticals, and art. Their activities have impacted countries globally including Argentina, Australia, Belgium, Brazil, Canada, China, Denmark, Norway, Estonia, Germany, Hungary, India, Ireland, Israel, Italy, Japan, Netherlands, New Zealand, Poland, Russia, Saudi Arabia, Singapore, South Korea, Spain, Sweden, Turkey, Ukraine, the United Kingdom, and the United States. In March 2023, Labyrinth Chollima was implicated in a supply chain attack against VoIP software maker 3CX, with follow-on attacks on 3CX customers concentrated in the cryptocurrency industry. The attribution of this attack to Labyrinth Chollima was based on similarities in the malicious code employed in the campaign. The group's actions have been tracked by several security companies under different names, including Temp.Hermit and Diamond Sleet. This intrusion was attributed to Labyrinth Chollima, a subunit of the notorious Lazarus Group, the North Korean government hacking unit known for stealthy hacks targeting cryptocurrency exchanges. The threat actor has also exploited vulnerabilities such as the Google Chrome zero-day CVE-2024-7971 to deploy the FudModule rootkit, according to Microsoft. It is one of the most prolific Democratic People’s Republic of Korea adversaries tracked by CrowdStrike. The group's activities overlap with those of other North Korean-linked groups such as Diamond Sleet, Temp.Hermit, and Citrine Sleet, indicating a possible collaboration or shared resources among these entities. Given the wide range of industries and countries targeted, it is clear that Labyrinth Chollima poses a significant global cybersecurity threat.
Description last updated: 2024-08-31T23:16:01.416Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Lazarus Group is a possible alias for Labyrinth Chollima. The Lazarus Group, a notorious threat actor attributed to North Korea, is renowned for its malicious activities aimed at furthering the country's objectives. This group has been implicated in several high-profile cyber-attacks, including an attack in Spain known as Operation DreamJob. The exploitati
5
Silent Chollima is a possible alias for Labyrinth Chollima. Silent Chollima, also known as Stonefly or APT45, is a threat actor with links to North Korea's foreign intelligence agency, the 3rd Bureau of the Foreign Intelligence and Reconnaissance General Bureau. The group has been active since at least 2015, when it began shifting its objectives. Silent Chol
2
Unc4736 is a possible alias for Labyrinth Chollima. UNC4736, a threat actor suspected to have North Korean connections, has been implicated in a series of cybersecurity breaches. The group gained initial access to the 3CX environment when an employee downloaded a financial trading package named X_TRADER from Trading Technologies' website. Unbeknownst
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Crowdstrike
Jumpcloud
Apt
Korean
Pypi
Ransomware
Exploit
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The WannaCry Malware is associated with Labyrinth Chollima. WannaCry is a notorious malware that gained global attention in 2017 when it was responsible for the biggest ransomware attack to date. The malware, designed to exploit and damage computer systems, infects systems through suspicious downloads, emails, or websites. Once inside a system, WannaCry can Unspecified
2
Source Document References
Information about the Labyrinth Chollima Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
4 months ago
CERT-EU
a year ago
MITRE
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago