Labyrinth Chollima

Threat Actor updated 10 days ago (2024-08-31T23:17:42.912Z)
Download STIX
Preview STIX
Labyrinth Chollima, a threat actor linked to North Korea, has been active since 2009 and is known for conducting operations aimed at collecting political, military, and economic intelligence on North Korea’s foreign adversaries, as well as currency generation campaigns. This group, also known by various other names including Hidden Cobra, BeagleBoyz, Lazarus Group, APT-C-26, Zinc, Black Artemis, and UNC4736, has targeted numerous industries worldwide, such as academia, energy, government, healthcare, media, retail, technology, aerospace, agriculture, cryptocurrency, defense, industrials and engineering, military, national government, opportunistic, pharmaceuticals, and art. Their activities have impacted countries globally including Argentina, Australia, Belgium, Brazil, Canada, China, Denmark, Norway, Estonia, Germany, Hungary, India, Ireland, Israel, Italy, Japan, Netherlands, New Zealand, Poland, Russia, Saudi Arabia, Singapore, South Korea, Spain, Sweden, Turkey, Ukraine, the United Kingdom, and the United States. In March 2023, Labyrinth Chollima was implicated in a supply chain attack against VoIP software maker 3CX, with follow-on attacks on 3CX customers concentrated in the cryptocurrency industry. The attribution of this attack to Labyrinth Chollima was based on similarities in the malicious code employed in the campaign. The group's actions have been tracked by several security companies under different names, including Temp.Hermit and Diamond Sleet. This intrusion was attributed to Labyrinth Chollima, a subunit of the notorious Lazarus Group, the North Korean government hacking unit known for stealthy hacks targeting cryptocurrency exchanges. The threat actor has also exploited vulnerabilities such as the Google Chrome zero-day CVE-2024-7971 to deploy the FudModule rootkit, according to Microsoft. It is one of the most prolific Democratic People’s Republic of Korea adversaries tracked by CrowdStrike. The group's activities overlap with those of other North Korean-linked groups such as Diamond Sleet, Temp.Hermit, and Citrine Sleet, indicating a possible collaboration or shared resources among these entities. Given the wide range of industries and countries targeted, it is clear that Labyrinth Chollima poses a significant global cybersecurity threat.
Description last updated: 2024-08-31T23:16:01.416Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Lazarus Group
5
The Lazarus Group, also known as APT38, is a notorious threat actor believed to be backed by the North Korean regime. This group has been associated with several high-profile cyber attacks and thefts, including the infamous $600 million Ronin sidechain exploit in 2022. Known for their sophisticated
Silent Chollima
2
Silent Chollima, a North Korea-nexus threat actor, is known for its malicious cyber activities. The group, which is part of the 3rd Bureau of the Foreign Intelligence and Reconnaissance General Bureau, North Korea's foreign intelligence agency, has been associated with other groups such as Lazarus,
Unc4736
2
UNC4736, a threat actor suspected to have North Korean connections, has been implicated in a series of cybersecurity breaches. The group gained initial access to the 3CX environment when an employee downloaded a financial trading package named X_TRADER from Trading Technologies' website. Unbeknownst
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Crowdstrike
Jumpcloud
Apt
Korean
Pypi
Ransomware
Exploit
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
WannaCryUnspecified
2
WannaCry is a type of malware, specifically ransomware, that emerged as one of the most significant cybersecurity threats in 2017. It exploited Windows' SMBv1 Remote Code Execution Vulnerabilities (CVE-2017-0144, CVE-2017-0145, CVE-2017-0143), allowing it to spread across networks and encrypt files,
Source Document References
Information about the Labyrinth Chollima Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
10 days ago
North Korea-linked APT Citrine Sleet exploit Chrome zero-day to deliver FudModule rootkit - Security Affairs
CERT-EU
8 months ago
MOVEit, Capita, CitrixBleed and more: The biggest data breaches of 2023 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
MITRE
9 months ago
Adversary: Labyrinth Chollima - Threat Actor | Crowdstrike Adversary Universe
CERT-EU
9 months ago
BitCoins To Bombs: North Korea Funds Military With Billions In Stolen Cryptocurrency - The Security Ledger with Paul F. Roberts
Securityaffairs
10 months ago
Lazarus is using a MagicLine4NX zero-day in supply chain attack
CERT-EU
10 months ago
Hackers exploit MagicLine4NX zero-day in supply-chain attack
BankInfoSecurity
10 months ago
North Korean Hacking Alert Sounded by UK and South Korea
CERT-EU
10 months ago
New North Korean supply chain attack spreads via malicious CyberLink app
CERT-EU
10 months ago
N. Korean Hackers Distribute Trojanized CyberLink Software in Supply Chain Attack
CERT-EU
10 months ago
Diamond Sleet supply chain compromise distributes a modified CyberLink installer | Microsoft Security Blog
CERT-EU
a year ago
Microsoft Warns of North Korean Attacks Exploiting JetBrains TeamCity Flaw
CERT-EU
a year ago
Qualys Survey of Top 10 Exploited Vulnerabilities in 2023 | Qualys Security Blog
CERT-EU
a year ago
North Korean Hackers Exploit Zero-Day Bug to Target Cybersecurity Researchers
Securityaffairs
a year ago
Security Affairs newsletter Round 435 by Pierluigi Paganini
CERT-EU
a year ago
VMConnect campaign linked to North Korea's Lazarus Group
CERT-EU
a year ago
Cyber Security Week in Review: September 1, 2023
Securityaffairs
a year ago
Labyrinth Chollima behind PyPI supply chain attacks
CERT-EU
a year ago
North Korean Hacker Group Breached US IT Firm JumpCloud
CERT-EU
a year ago
Cyber Security Week In Review: July 21, 2023
Securityaffairs
a year ago
Experts believe North Korea behind JumpCloud supply chain attack