Stardust Chollima

Threat Actor updated a year ago (2024-11-29T13:43:13.962Z)

Download STIX

Preview STIX

Stardust Chollima is a recognized threat actor in the cybersecurity industry, primarily known for its malicious activities aimed at acquiring funds. This group has been linked to various high-profile cyber-attacks and fraudulent activities since 2015. Stardust Chollima has been associated with the fraudulent abuse of compromised bank-operated SWIFT system endpoints, the FASTCash ATM cash-outs reported in October 2018, and significant cryptocurrency thefts. The group has been tracked under different names by various cybersecurity firms, including APT38 by FireEye, Bluenoroff by Kaspersky, Lazarus Group by ESTSecurity, and BeagleBoyz, among others. The operational framework of Stardust Chollima appears to be complex and potentially interconnected with other DPRK adversaries such as Labyrinth Chollima, Ricochet Chollima, and Silent Chollima. However, it remains unclear if elements of the TwoPence framework used by Stardust Chollima are shared among these groups. In August, the group was reported to have debuted the SpectralBlur malware, according to Proofpoint threat researcher Greg Lesnewich. Furthermore, there's a technical overlap between the WannaCry ransomware, which began self-propagating in May 2017, and both Stardust Chollima and Labyrinth Chollima. While there seems to be a degree of operational overlap with other groups, no direct link has been identified between Stardust Chollima and Silent Chollima, another threat actor involved in revenue generation attempts. Both groups leverage unique tools and infrastructure in their operations. The cybersecurity industry continues to monitor these threat actors closely, and companies are advised to incorporate intelligence on these groups into their security strategies. Cybersecurity firm CrowdStrike offers resources on how to integrate this information into an effective defense plan.

Description last updated: 2024-05-04T18:06:17.239Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
APT38 is a possible alias for Stardust Chollima. APT38, a threat actor suspected to be backed by the North Korean regime, has been responsible for some of the largest cyber heists observed to date. The group has conducted operations in over 16 organizations across at least 11 countries, primarily targeting financial institutions worldwide. Despite	3
TA444 is a possible alias for Stardust Chollima. TA444, also known as BlueNoroff, APT28, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and other monikers, is a prolific North Korean state-backed threat actor known for its malicious cyber activities. The group has been continuously generating proprietary malware, distinguishing it from other	2
Bluenoroff is a possible alias for Stardust Chollima. BlueNoroff, a threat actor group linked to North Korea, has been identified as the malicious entity behind several high-profile cyber-attacks. Since first making headlines with an attack on Sony Pictures in 2014, BlueNoroff and its parent group Lazarus have been involved in numerous notorious securi	2
Lazarus Group is a possible alias for Stardust Chollima. The Lazarus Group, a notorious threat actor attributed to North Korea, is renowned for its malicious activities aimed at furthering the country's objectives. This group has been implicated in several high-profile cyber-attacks, including an attack in Spain known as Operation DreamJob. The exploitati	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Crowdstrike

Malware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Silent Chollima Threat Actor is associated with Stardust Chollima. Silent Chollima, also known as Stonefly or APT45, is a threat actor with links to North Korea's foreign intelligence agency, the 3rd Bureau of the Foreign Intelligence and Reconnaissance General Bureau. The group has been active since at least 2015, when it began shifting its objectives. Silent Chol	Unspecified	2

Source Document References

Information about the Stardust Chollima Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securelist	25 days ago	BlueNoroff's latest campaigns: GhostCall and GhostHire
CrowdStrike	6 months ago	Deep Dive: 2025 LATAM Threat Landscape Report \| CrowdStrike
DARKReading	2 years ago	North Korea Debuts 'SpectralBlur' Malware Amid macOS Onslaught
CERT-EU	2 years ago	The Future of Blockchain Security, National Security, Cybersecurity, and Health Security
CERT-EU	2 years ago	North Korean Affiliates Suspected in $40M Cryptocurrency Heist, FBI Warns
CERT-EU	2 years ago	Why is it so rare to hear about Western cyber-attacks?
CERT-EU	2 years ago	Kimsuky Targets Think Tanks and News Media with Social Engineering Attacks
MITRE	3 years ago	FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks \| CISA
MITRE	3 years ago	STARDUST CHOLLIMA \| Threat Actor Profile \| CrowdStrike
DARKReading	3 years ago	North Korea's Top APT Swindled $1B From Crypto Investors in 2022
CERT-EU	3 years ago	Lazarus Subgroup Targeting Apple Devices with New RustBucket macOS Malware