Threat Actor Profile

Labyrinth Chollima

Labyrinth Chollima, active since at least 2009, is a North Korean state-sponsored threat actor operating under the Lazarus Group umbrella. Known for high-profile cyber operations like the Sony Pictures hack and the Bangladesh Bank heist, this group blends espionage, financial theft, and destructive tactics to support the ambitions of the North Korean regime.

Threat Actor Profile

Labyrinth Chollima

Country of Origin

Labyrinth Chollima originates from North Korea. Cybersecurity researchers attribute its operations to the Reconnaissance General Bureau (RGB), the primary intelligence agency of North Korea, tying it directly to state-sponsored activities out of Pyongyang.

Members

The precise size and makeup of Labyrinth Chollima’s team remain unknown. Based on known operations’ complexity and scope, the group is believed to consist of highly skilled operatives with expertise in malware development, exploit engineering, and reconnaissance.

Leadership

Details regarding the specific leadership of Labyrinth Chollima remain undisclosed. However, the group operates as a subset of the Lazarus Group, suggesting leadership is under direct control and influence of North Korea’s intelligence apparatus.

Labyrinth Chollima TTPs

Tactics

Labyrinth Chollima’s primary goals include espionage (targeting government entities, defense, and media), generating financial gains to circumvent international sanctions, and conducting destructive attacks for retaliation or political messaging.

Techniques

The group employs spear phishing with malicious links or attachments, watering-hole attacks targeting strategic websites, and exploitation of vulnerabilities in exposed servers to gain initial access. To evade detection, they utilize custom malware and tradecraft such as DLL side-loading and signed binaries.

Procedures

Labyrinth Chollima executes credential theft using keyloggers and tools like Mimikatz, along with custom tools for lateral movement (e.g., PsExec and WMI). Their operations culminate in long-term espionage, cryptocurrency theft, or sabotage via disk-wiping malware.

Want to Shut Down Threats Before They Start?

Schedule a Demo Today

Notable Cyberattacks

Sony Pictures Hack (2014)

Retaliation for a satirical film, combining data leaks and destructive malware to expose sensitive information and disrupt operations.

Source

Bangladesh Bank Heist (2016)

Manipulated SWIFT systems to steal approximately $81 million, leaving an indelible mark on financial cybersecurity.

Source

WannaCry Ransomware Attack (2017)

A global outbreak that disrupted healthcare and businesses, with Labyrinth Chollima suspected of playing a role.

Source

Cryptocurrency Exchange Attacks (2018–2022)

Cumulatively netted hundreds of millions in stolen assets from digital financial platforms.

Source

Law Enforcement & Arrests

While no specific arrests have been made against Labyrinth Chollima operatives, global enforcement agencies like the FBI and Interpol actively track their activities and attribute operations to the North Korean regime. Public indictments and sanctions have been deployed to curtail their reach.

How to Defend Against Labyrinth Chollima

Email Security: Employ phishing-resistant measures, sandbox suspicious attachments, and train staff on recognizing spoofed emails.

Patch Management: Promptly address vulnerabilities in enterprise systems such as VPN software and web servers.

Network Monitoring: Track unusual outbound traffic, tunneling, and unauthorized access.

Account Protection: Enforce multi-factor authentication (MFA) and bolster credential security.

Segmentation: Isolate critical infrastructure from commonly accessed systems.

Don’t leave your business vulnerable to advanced threat actors like Labyrinth Chollima. Investing in managed cybersecurity services, like Huntress, gives you the edge with tools like Managed Endpoint Detection and 24/7 SOC support. Arm yourself with experts who can detect, respond to, and prevent cyberattacks—keeping your operations secure while you focus on growth. Take action now to stay one step ahead of evolving cyber threats!

Try Huntress for Free

References

https://www.vectra.ai/modern-attack/threat-actors/lazarus

https://www.mandiant.com/resources/north-korea-cyber-analysis

https://www.symantec.com/blogs/hidden-cobra-reports

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free