Stardust Chollima

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
Stardust Chollima is a recognized threat actor in the cybersecurity industry, primarily known for its malicious activities aimed at acquiring funds. This group has been linked to various high-profile cyber-attacks and fraudulent activities since 2015. Stardust Chollima has been associated with the fraudulent abuse of compromised bank-operated SWIFT system endpoints, the FASTCash ATM cash-outs reported in October 2018, and significant cryptocurrency thefts. The group has been tracked under different names by various cybersecurity firms, including APT38 by FireEye, Bluenoroff by Kaspersky, Lazarus Group by ESTSecurity, and BeagleBoyz, among others. The operational framework of Stardust Chollima appears to be complex and potentially interconnected with other DPRK adversaries such as Labyrinth Chollima, Ricochet Chollima, and Silent Chollima. However, it remains unclear if elements of the TwoPence framework used by Stardust Chollima are shared among these groups. In August, the group was reported to have debuted the SpectralBlur malware, according to Proofpoint threat researcher Greg Lesnewich. Furthermore, there's a technical overlap between the WannaCry ransomware, which began self-propagating in May 2017, and both Stardust Chollima and Labyrinth Chollima. While there seems to be a degree of operational overlap with other groups, no direct link has been identified between Stardust Chollima and Silent Chollima, another threat actor involved in revenue generation attempts. Both groups leverage unique tools and infrastructure in their operations. The cybersecurity industry continues to monitor these threat actors closely, and companies are advised to incorporate intelligence on these groups into their security strategies. Cybersecurity firm CrowdStrike offers resources on how to integrate this information into an effective defense plan.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT38
3
APT38, also known as TA444, BlueNoroff, BlackAlicanto, Coperenicum, Sapphire Sleet, Stardust Chollima, and TraderTraitor, is a threat actor group suspected to be backed by the North Korean regime. The group has been active in operations across over 16 organizations in at least 11 countries, primaril
Lazarus Group
2
The Lazarus Group, a threat actor attributed to North Korea, is renowned for its notorious cyber-exploitation activities. The group has been linked to various high-profile cyber-attacks, including the largest decentralized finance exploit in history, the Ronin exploit of March 2022. This attack led
Bluenoroff
2
BlueNoroff, a threat actor closely associated with the notorious Lazarus Group, has been actively involved in malicious cyber activities primarily targeting financial institutions and cryptocurrency businesses. Known for its sophisticated attacks on banks, casinos, fintech companies, POST software,
TA444
1
TA444, also known as BlueNoroff, APT28, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and other monikers, is a prolific North Korean state-backed threat actor known for its malicious cyber activities. The group has been continuously generating proprietary malware, distinguishing it from other
BeagleBoyz
1
The BeagleBoyz, also known as threat activity group 71 (TAG-71), is a significant cybersecurity threat actor with strong ties to the North Korean state-sponsored APT38. This group, recognized under various aliases such as Bluenoroff and Stardust Chollima, has been involved in extensive cyber operati
Labyrinth Chollima
1
Labyrinth Chollima, a threat actor linked to North Korea, has been involved in numerous malicious activities since 2009. Tracked by CrowdStrike and other cybersecurity organizations, Labyrinth Chollima is part of the Lazarus Group, known for stealthy attacks targeting various industries such as acad
Sapphire Sleet
1
Sapphire Sleet is a threat actor, or malicious entity, that is linked to North Korea. This group has been identified as an Advanced Persistent Threat (APT), known for executing sophisticated and continuous cyberattacks. Sapphire Sleet has been particularly active in targeting IT job seekers through
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Dprk
Malware
Crowdstrike
Ransomware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
StardustUnspecified
1
Stardust is a potent malware that has been identified in cyber attacks on specific targets, notably the Katerji Group and Arfada Petroleum, both located in Syria. The malware is part of a family of malicious payloads that include Meteor and Comet, but with distinct characteristics. Stardust does not
WannaCryUnspecified
1
WannaCry is a type of malware, specifically ransomware, that caused significant global disruption in 2017. It exploited Windows SMBv1 Remote Code Execution Vulnerabilities (CVE-2017-0144, CVE-2017-0145, CVE-2017-0143), which allowed it to spread rapidly and infect over 200,000 machines across more t
SpectralblurUnspecified
1
SpectralBlur is a new form of malware that was detected in 2024. It operates as a backdoor into macOS systems, allowing unauthorized access and control to the infected device. This malicious software is designed to exploit and damage your computer or device, often infiltrating systems through suspic
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Silent ChollimaUnspecified
1
Silent Chollima, a North Korea-nexus threat actor, is known for its malicious cyber activities. The group, which is part of the 3rd Bureau of the Foreign Intelligence and Reconnaissance General Bureau, North Korea's foreign intelligence agency, has been associated with other groups such as Lazarus,
Static KittenUnspecified
1
Static Kitten, also known as MuddyWater, SeedWorm, TEMP.Zagros, and Mercury, is an Iranian government-sponsored hacking group that has been active since 2017. The group is notorious for its malicious activities, including spear-phishing campaigns targeting various entities globally, with a particula
Camaro DragonUnspecified
1
Camaro Dragon, a Chinese state-sponsored threat actor, has been identified as the source of several cyber attacks on European foreign affairs entities. Checkpoint Research has discovered and analyzed a custom firmware image affiliated with Camaro Dragon, which contained multiple malicious components
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Stardust Chollima Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
6 months ago
North Korea Debuts 'SpectralBlur' Malware Amid macOS Onslaught
CERT-EU
9 months ago
The Future of Blockchain Security, National Security, Cybersecurity, and Health Security
CERT-EU
a year ago
North Korean Affiliates Suspected in $40M Cryptocurrency Heist, FBI Warns
CERT-EU
a year ago
Why is it so rare to hear about Western cyber-attacks?
CERT-EU
a year ago
Kimsuky Targets Think Tanks and News Media with Social Engineering Attacks
MITRE
a year ago
FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks | CISA
MITRE
a year ago
STARDUST CHOLLIMA | Threat Actor Profile | CrowdStrike
DARKReading
a year ago
North Korea's Top APT Swindled $1B From Crypto Investors in 2022
CERT-EU
a year ago
Lazarus Subgroup Targeting Apple Devices with New RustBucket macOS Malware