**Labyrinth Chollima Evolves into Three North Korean Hacking Groups**

The cyber threat landscape just got a whole lot more complex. One of the most prolific North Korean-linked cyber threat groups, Labyrinth Chollima, has undergone a significant evolution, splitting into three distinct hacking groups, according to leading cybersecurity firm CrowdStrike.

On January 29, CrowdStrike published a blog detailing the transformation, which will now see the group tracked as Labyrinth Chollima, Golden Chollima, and Pressure Chollima. The company assessed "with high confidence" that while Labyrinth Chollima continues to focus on cyber espionage, targeting industrial, logistics, and defense companies, the other groups have shifted towards targeting cryptocurrency entities.

Each group is utilizing distinct toolsets in their malware campaigns, according to CrowdStrike. These toolsets are all evolutions of the same malware framework used by Labyrinth Chollima in the 2000s and 2010s. However, despite now operating independently, these three adversaries still share tools and infrastructure, indicating centralized coordination and resource allocation within the North Korean cyber ecosystem.

**The Evolution of Labyrinth Chollima**

Labyrinth Chollima (also known as UNC4034 and Temp.Hermit) is one of the most active cyber threat groups attributed to North Korea. According to CrowdStrike, the group is responsible for some of North Korea's most notable intrusions, including destructive attacks against South Korean and US entities and the global WannaCry ransomware incident.

While some of the group's past operations have been attributed to the Lazarus Group, it now seems that most cyber threat intelligence analysts have abandoned this latter name as it encompasses too many distinct teams within North Korea's hacking ecosystem. For example, the entry for the Lazarus Group on Malpedia, a cyber threat intelligence repository maintained by Germany's Fraunhofer research institute, lists 42 different aliases, highlighting how broadly the name has been applied to distinct North Korean hacking teams.

**The Origins of Labyrinth Chollima**

CrowdStrike started tracking the Labyrinth Chollima group as a distinct cyber hacking group tied to the North Korean regime when it discovered the KorDLL malware framework used in the wild between 2009 and 2015. KorDLL is a source code repository containing implant templates, command-and-control (C2) protocols, libraries for common tasks, and code for various obfuscation techniques.

This framework "spawned several epoch-defining malware families, including Dozer, Brambul, Joanap, KorDLL Bot, and Koredos," said CrowdStrike. It later evolved into the Hawup and TwoPence malware frameworks, which led CrowdStrike to split Labyrinth Chollima into two groups: Labyrinth Chollima, which used the Hawup framework, and Stardust Chollima, which used the TwoPence framework and its evolved versions.

**The New Players**

Today, CrowdStrike is sharing a new evolution of the Hawup framework into three distinct versions. These include the Hoplight framework used by Labyrinth Chollima, the Jeus framework used by Golden Chollima, and the MataNet framework used by Pressure Chollima alongside the TwoPence framework.

Apart from using distinctive tooling, the three groups also differ in their targeting and techniques, tactics, and procedures (TTPs):

* **Labyrinth Chollima**: Focuses on cyber espionage, targeting industrial, logistics, and defense companies. * **Golden Chollima**: Shifted towards targeting cryptocurrency entities, using a distinctive toolset known as Jeus. * **Pressure Chollima**: Also targeting cryptocurrency entities, utilizing the MataNet framework alongside the TwoPence framework.

The emergence of these three distinct groups highlights the ever-evolving nature of North Korea's cyber threat landscape. As cybersecurity firms continue to track and analyze these groups, it becomes increasingly clear that their tactics, techniques, and procedures (TTPs) are becoming more sophisticated and targeted.

**Conclusion**

The evolution of Labyrinth Chollima into three distinct hacking groups serves as a stark reminder of the ongoing threat posed by North Korea's cyber operations. As the global cybersecurity community continues to monitor and analyze these groups, it is essential to stay vigilant and adapt to the ever-changing landscape of cyber threats.