ACCORDING to CrowdStrike, one of North Korea’s most aggressive cyber units has evolved into three distinct groups: GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and a core espionage unit that retains LABYRINTH CHOLLIMA. The restructuring marks a move from a monolithic threat to a diversified set of adversaries capable of espionage and high-value theft, with each group specialising in different targets and tradecraft.
GOLDEN CHOLLIMA is described as focusing on baseline revenue generation through smaller, frequent thefts, targeting fintech firms in the U.S., South Korea, and Europe, and using tools such as Jeus and AppleJeus to drain cryptocurrency wallets. PRESSURE CHOLLIMA is depicted as one of the most technically advanced adversaries, pursuing high-payout opportunities regardless of geography and responsible for large cryptocurrency heists on centralized exchanges.
The core LABYRINTH CHOLLIMA unit concentrates on intelligence collection in defense, maritime, military, and nuclear sectors, while all three share a common origin in the KorDLL and Hawup frameworks and remain interconnected. The investigation notes that financial pressures and sanctions may be driving this evolution, with potential funding of strategic military projects.