Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Labyrinth Chollima split into three North Korean hacking groups

Threat Actor Meta
First reported
Last updated
Happening score
H score 15
2 unique sources, 2 articles

Summary

Hide ▲

Labyrinth Chollima has been split into three tracked North Korean groups, reshaping how defenders map a major DPRK cyber ecosystem and its target set. Golden Chollima and Pressure Chollima are now tracked separately from the original cluster. The split matters because the groups show distinct toolsets and different targeting priorities, even while they still share infrastructure.

Related Happenings

Lazarus Group RemotePE long-term observation campaign against financial and cryptocurrency organizations

Campaign
First: 25.05.2026 12:32 Last: 25.05.2026 12:32 Sources 1

About this happening: The **Lazarus Group** was tied to a **RemotePE** campaign against **financial and cryptocurrency organizations**, signaling a stealth-focused operation with sustained access risk....

Open Happening

Silk Typhoon / Hafnium coordinated intelligence-gathering campaign

Campaign
First: 27.04.2026 22:56 Last: 27.04.2026 22:56 Sources 1

About this happening: The **Silk Typhoon / Hafnium** operation is tied to a **coordinated intelligence-gathering campaign** spanning **February 2020 to June 2021**, underscoring a sustained espionage e...

Latest development: 28.04.2026 15:30

US officials described Silk Typhoon/Hafnium activity from February 2020 to June 2021 as a coordinated intelligence-gathering campaign that targeted US universities and COVID-19 researchers, including a Texas university network, and later expanded into Microsoft Exchange Server vulnerability exploitation. The operation reportedly used stolen mailbox access to search for vaccines, treatments, and testing research, and the FBI said the campaign affected more than 12,700 US organizations.

Open Happening

North Korean Drift contributor targeting campaign

Campaign
First: 06.04.2026 19:35 Last: 06.04.2026 19:35 Sources 1

About this happening: A **North Korean** targeting campaign against **Drift Protocol contributors** ran for at least **six months** before the later theft, increasing the attackers' access and credibil...

Open Happening

Microsoft Teams adds lobby labeling and separate admission for third-party bots

Security Tool/Service
First: 09.03.2026 19:12 Last: 09.03.2026 19:12 Sources 1

About this happening: **Microsoft Teams** is adding **automatic lobby labels** for **external third-party bots**, making it harder for non-human participants to blend in and reducing accidental admissi...

Open Happening

Russian-speaking threat actor campaign expands across multiple victims

Campaign
First: 09.03.2026 01:35 Last: 09.03.2026 01:35 Sources 1

About this happening: A **Russian-speaking threat actor** ran an **AI-augmented campaign** against **FortiGate security appliances**, using **multiple commercial AI services** to scale compromise attem...

Open Happening

Timeline

  1. 29.01.2026 02:00 3 articles · 3mo ago

    CrowdStrike splits Labyrinth Chollima into three tracked groups

    Attribution Update

    CrowdStrike reclassified the North Korean-linked Labyrinth Chollima ecosystem into three tracked groups — Labyrinth Chollima, Golden Chollima and Pressure Chollima — saying the original cluster remains focused on cyber espionage against industrial, logistics and defense companies, while the other two groups target cryptocurrency entities and all three still share tools and infrastructure. The group lineage includes earlier malware-framework evolution such as KorDLL, Hawup and TwoPence.

    Show sources
    Open in new tab