Threat Actor Profile
Labyrinth Chollima
Labyrinth Chollima, active since at least 2009, is a North Korean state-sponsored threat actor operating under the Lazarus Group umbrella. Known for high-profile cyber operations like the Sony Pictures hack and the Bangladesh Bank heist, this group blends espionage, financial theft, and destructive tactics to support the ambitions of the North Korean regime.
Threat Actor Profile
Labyrinth Chollima
Country of Origin
Labyrinth Chollima originates from North Korea. Cybersecurity researchers attribute its operations to the Reconnaissance General Bureau (RGB), the primary intelligence agency of North Korea, tying it directly to state-sponsored activities out of Pyongyang.
Members
The precise size and makeup of Labyrinth Chollima’s team remain unknown. Based on known operations’ complexity and scope, the group is believed to consist of highly skilled operatives with expertise in malware development, exploit engineering, and reconnaissance.
Leadership
Details regarding the specific leadership of Labyrinth Chollima remain undisclosed. However, the group operates as a subset of the Lazarus Group, suggesting leadership is under direct control and influence of North Korea’s intelligence apparatus.
Labyrinth Chollima TTPs
Tactics
Labyrinth Chollima’s primary goals include espionage (targeting government entities, defense, and media), generating financial gains to circumvent international sanctions, and conducting destructive attacks for retaliation or political messaging.
Techniques
The group employs spear phishing with malicious links or attachments, watering-hole attacks targeting strategic websites, and exploitation of vulnerabilities in exposed servers to gain initial access. To evade detection, they utilize custom malware and tradecraft such as DLL side-loading and signed binaries.
Procedures
Labyrinth Chollima executes credential theft using keyloggers and tools like Mimikatz, along with custom tools for lateral movement (e.g., PsExec and WMI). Their operations culminate in long-term espionage, cryptocurrency theft, or sabotage via disk-wiping malware.
Want to Shut Down Threats Before They Start?
Notable Cyberattacks
Sony Pictures Hack (2014)
Retaliation for a satirical film, combining data leaks and destructive malware to expose sensitive information and disrupt operations.
Bangladesh Bank Heist (2016)
Manipulated SWIFT systems to steal approximately $81 million, leaving an indelible mark on financial cybersecurity.
WannaCry Ransomware Attack (2017)
A global outbreak that disrupted healthcare and businesses, with Labyrinth Chollima suspected of playing a role.
Cryptocurrency Exchange Attacks (2018–2022)
Cumulatively netted hundreds of millions in stolen assets from digital financial platforms.
Law Enforcement & Arrests
While no specific arrests have been made against Labyrinth Chollima operatives, global enforcement agencies like the FBI and Interpol actively track their activities and attribute operations to the North Korean regime. Public indictments and sanctions have been deployed to curtail their reach.
How to Defend Against Labyrinth Chollima
Email Security: Employ phishing-resistant measures, sandbox suspicious attachments, and train staff on recognizing spoofed emails.
Patch Management: Promptly address vulnerabilities in enterprise systems such as VPN software and web servers.
Network Monitoring: Track unusual outbound traffic, tunneling, and unauthorized access.
Account Protection: Enforce multi-factor authentication (MFA) and bolster credential security.
Segmentation: Isolate critical infrastructure from commonly accessed systems.
Don’t leave your business vulnerable to advanced threat actors like Labyrinth Chollima. Investing in managed cybersecurity services, like Huntress, gives you the edge with tools like Managed Endpoint Detection and 24/7 SOC support. Arm yourself with experts who can detect, respond to, and prevent cyberattacks—keeping your operations secure while you focus on growth. Take action now to stay one step ahead of evolving cyber threats!
References
Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
