Labyrinth Chollima split into three North Korean hacking groups
Threat Actor Meta
Summary
Hide ▲
Show ▼
Labyrinth Chollima has been split into three tracked North Korean groups, reshaping how defenders map a major DPRK cyber ecosystem and its target set. Golden Chollima and Pressure Chollima are now tracked separately from the original cluster. The split matters because the groups show distinct toolsets and different targeting priorities, even while they still share infrastructure.
Related Happenings
Scattered Spider reclassified as a decentralized collective of independent clusters
Threat Actor Meta
H score26
First: 07.07.2026 17:00
Last: 07.07.2026 17:00
Sources 1
About this happening:
**Scattered Spider** has been reclassified as a **decentralized cybercrime collective**, changing how its persistence and resilience are understood. The shift suggests **independe...
Scattered Spider reclassified as a decentralized collective of independent clusters
Threat Actor MetaAbout this happening: **Scattered Spider** has been reclassified as a **decentralized cybercrime collective**, changing how its persistence and resilience are understood. The shift suggests **independe...
Phantom Mantis shifts The Gentlemen into an independent ransomware partnership program
Threat Actor Meta
H score24
First: 11.06.2026 19:50
Last: 11.06.2026 19:50
Sources 1
About this happening:
**Phantom Mantis** moved **The Gentlemen** from dependence on other ransomware ecosystems into an **independent partnership program**, expanding its operational autonomy and affil...
Phantom Mantis shifts The Gentlemen into an independent ransomware partnership program
Threat Actor MetaAbout this happening: **Phantom Mantis** moved **The Gentlemen** from dependence on other ransomware ecosystems into an **independent partnership program**, expanding its operational autonomy and affil...
GREYVIBE's Kremlin-aligned role in the Russian cybercrime ecosystem
Threat Actor Meta
H score15
First: 29.05.2026 14:31
Last: 29.05.2026 14:31
Sources 1
About this happening:
A newly characterized **GREYVIBE** actor sits in a **grey zone** between **Kremlin-aligned intelligence work** and the **Russian cybercrime ecosystem**, complicating attribution f...
GREYVIBE's Kremlin-aligned role in the Russian cybercrime ecosystem
Threat Actor MetaAbout this happening: A newly characterized **GREYVIBE** actor sits in a **grey zone** between **Kremlin-aligned intelligence work** and the **Russian cybercrime ecosystem**, complicating attribution f...
GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
Campaign
H score39
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
**GreyVibe** is running an **AI-assisted cyberespionage campaign** against **Ukrainian and Ukraine-related organizations**, expanding the threat to military, government, civilian,...
GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
CampaignAbout this happening: **GreyVibe** is running an **AI-assisted cyberespionage campaign** against **Ukrainian and Ukraine-related organizations**, expanding the threat to military, government, civilian,...
Lazarus Group RemotePE long-term observation campaign against financial and cryptocurrency organizations
Campaign
H score38
First: 25.05.2026 12:32
Last: 25.05.2026 12:32
Sources 1
About this happening:
The **Lazarus Group** was tied to a **RemotePE** campaign against **financial and cryptocurrency organizations**, signaling a stealth-focused operation with sustained access risk....
Lazarus Group RemotePE long-term observation campaign against financial and cryptocurrency organizations
CampaignAbout this happening: The **Lazarus Group** was tied to a **RemotePE** campaign against **financial and cryptocurrency organizations**, signaling a stealth-focused operation with sustained access risk....
Timeline
-
29.01.2026 02:00 3 articles · 5mo ago
CrowdStrike splits Labyrinth Chollima into three tracked groups
Attribution UpdateCrowdStrike reclassified the North Korean-linked Labyrinth Chollima ecosystem into three tracked groups — Labyrinth Chollima, Golden Chollima and Pressure Chollima — saying the original cluster remains focused on cyber espionage against industrial, logistics and defense companies, while the other two groups target cryptocurrency entities and all three still share tools and infrastructure. The group lineage includes earlier malware-framework evolution such as KorDLL, Hawup and TwoPence.
Show sources
- Labyrinth Chollima Evolves into Three North Korean Hacking Groups — www.infosecurity-magazine.com — 30.01.2026 17:40
- Labyrinth Chollima Evolves into Three North Korean Hacking Groups — www.infosecurity-magazine.com — 30.01.2026 17:40
- DPRK Operatives Impersonate Professionals on LinkedIn to Infiltrate Companies — thehackernews.com — 10.02.2026 19:44