Long-running North Korea threat group splits into 3 distinct operations | CyberScoop<\/title> <meta name=\"description\" content=\"The trio, which share lineage with the more broadly defined Lazarus Group, are focused on espionage and cryptocurrency theft, according to CrowdStrike.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/north-korea-labyrinth-chollima-splits-crowdstrike\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Long-running North Korea threat group splits into 3 distinct operations\"> <meta property=\"og:description\" content=\"The trio, which share lineage with the more broadly defined Lazarus Group, are focused on espionage and cryptocurrency theft, according to CrowdStrike.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/north-korea-labyrinth-chollima-splits-crowdstrike\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2026-01-29T11:00:00+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/long-running-north-korea-threat-group-splits-into-3-distinct-operations-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1024\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1765909325g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1768841770g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1767808656g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/87595\"><meta name=\"generator\" content=\"WordPress 6.8.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=87595\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fnorth-korea-labyrinth-chollima-splits-crowdstrike%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fnorth-korea-labyrinth-chollima-splits-crowdstrike%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-87595 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/north-korea-labyrinth-chollima-splits-crowdstrike\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"27.018556701031\">\n<div class=\"single-article__header-content\" readability=\"37.40625\">\n<p> The trio, which share lineage with the more broadly defined Lazarus Group, are focused on espionage and cryptocurrency theft, according to CrowdStrike. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/87595\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"341\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/long-running-north-korea-threat-group-splits-into-3-distinct-operations.jpg?resize=640%2C341&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt=\"North Korea Worker's Party Monument\" decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/long-running-north-korea-threat-group-splits-into-3-distinct-operations-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/long-running-north-korea-threat-group-splits-into-3-distinct-operations-2.jpg?resize=300,160 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/long-running-north-korea-threat-group-splits-into-3-distinct-operations-2.jpg?resize=768,410 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/long-running-north-korea-threat-group-splits-into-3-distinct-operations-2.jpg?resize=1024,546 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/long-running-north-korea-threat-group-splits-into-3-distinct-operations-2.jpg?resize=1536,819 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/long-running-north-korea-threat-group-splits-into-3-distinct-operations-2.jpg?resize=600,320 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/long-running-north-korea-threat-group-splits-into-3-distinct-operations-2.jpg?resize=1200,640 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/long-running-north-korea-threat-group-splits-into-3-distinct-operations-2.jpg?resize=1500,800 1500w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> The North Korea Worker’s Party Monument in Pyongyang. (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"40.770611702128\"><body readability=\"83.952879581152\"><\/p>\n<p>A North Korea-backed threat group operating since 2009 has splintered into three distinct groups with specialized malware and objectives, CrowdStrike said in a <a href=\"https:\/\/www.crowdstrike.com\/en-us\/blog\/labyrinth-chollima-evolves-into-three-adversaries\/\">report<\/a> released Thursday.<\/p>\n<p>Labeled \u201cLabyrinth Chollima\u201d by the company, the group follows a divergence pattern CrowdStrike observed previously. Labyrinth Chollima has spawned two additional groups: Golden Chollima and Pressure Chollima. The spin-offs, which have been operating since 2020, allow Labyrinth Chollima to narrow its focus on espionage, targeting victims in the manufacturing, logistics, defense and aerospace industries. <\/p>\n<p>Golden Chollima and Pressure Chollima are squarely focused on stealing cryptocurrency, which funnels money back to the regime, with some of the proceeds funding North Korea\u2019s cyber operations. Pressure Chollima, which was responsible for last year\u2019s record-breaking <a href=\"https:\/\/cyberscoop.com\/bybit-lazarus-group-north-korea-ethereum\/\">$1.46 billion cryptocurrency theft<\/a>, targets high-payout opportunities and has evolved into one of North Korea\u2019s most technically advanced threat groups, according to CrowdStrike.<\/p>\n<p>The groups, which share lineage with the more broadly defined Lazarus Group, share some tools and infrastructure, which indicates centralized coordination, but they\u2019ve also developed more specialized capabilities for their specific objectives, researchers said.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>As North Korea\u2019s threat groups continue to branch out, the rogue nation is developing more capabilities and expanding its reach and impact, Adam Meyers, head of counter adversary operations at CrowdStrike, told CyberScoop.<\/p>\n<p>\u201cWhat we\u2019re seeing down range is now aligned with what we\u2019ve seen from a bureaucratic perspective up range,\u201d Meyers said. <\/p>\n<p>\u201cOver time, as their mission was successful, the bureaucracy grew and the scope of the mission grew, and obviously the organization grew,\u201d he added. \u201cThey\u2019ve been operating a resistance economy for many, many years and cyber gives them the ability to do this deniably and at a distance.\u201d <\/p>\n<p>CrowdStrike currently tracks eight distinct North Korea-backed threat groups, with the addition of Golden Chollima and Pressure Chollima. The cybersecurity firm expects the groups focused on cryptocurrency theft to scale their operations as international sanctions impair North Korea\u2019s economy.<\/p>\n<p>Labyrinth Chollima has more recently targeted European aerospace companies, defense manufacturers, logistics and shipping companies, and U.S.-based critical infrastructure providers, including those involved in hydroelectric power. The threat group, which other firms track as Diamond Sleet and Operation Dream Job, has also developed a knack for employment-themed social engineering, researchers said.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cNorth Korea is probably one of the top-notch actors out there. A lot of people don\u2019t give them credit for that,\u201d Meyers said.<\/p>\n<p>CrowdStrike\u2019s research on Labyrinth Chollima\u2019s spin-offs aims to help organizations defend against these distinct threats by also providing indicators of compromise and malware samples observed in various attacks.<\/p>\n<p>\u201cYou need to know who the threats are to your specific industry and geolocation, because you can\u2019t defend against all the threats all the time,\u201d Meyers said. \u201cYou can\u2019t boil the ocean.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.5068359375\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/long-running-north-korea-threat-group-splits-into-3-distinct-operations-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/north-korea-labyrinth-chollima-splits-crowdstrike\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Long-running North Korea threat group splits into 3 distinct operations<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[2350,3734,337,1753,282,78,624,5869,1010,647,256,288],"tags":[2354,3736,340,1756,286,86,629,5870,242,240,262,294],"class_list":["post-8309","post","type-post","status-publish","format-standard","hentry","category-crowdstrike","category-crypto-crime","category-cryptocurrency","category-cyber-espionage","category-cybercrime","category-cybersecurity","category-espionage","category-labyrinth-chollima","category-lazarus-group","category-north-korea","category-research","category-threats","tag-crowdstrike","tag-crypto-crime","tag-cryptocurrency","tag-cyber-espionage","tag-cybercrime","tag-cybersecurity","tag-espionage","tag-labyrinth-chollima","tag-lazarus-group","tag-north-korea","tag-research","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/crowdstrike\/\" rel=\"category tag\">CrowdStrike<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/crypto-crime\/\" rel=\"category tag\">crypto crime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cryptocurrency\/\" rel=\"category tag\">cryptocurrency<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cyber-espionage\/\" rel=\"category tag\">cyber espionage<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/espionage\/\" rel=\"category tag\">espionage<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/labyrinth-chollima\/\" rel=\"category tag\">Labyrinth Chollima<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/lazarus-group\/\" rel=\"category tag\">Lazarus Group<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/north-korea\/\" rel=\"category tag\">North Korea<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8309","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8309"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8309\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8309"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8309"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8309"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8309,"date":"2026-01-29T05:00:00","date_gmt":"2026-01-29T11:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=87595"},"modified":"2026-01-29T05:00:00","modified_gmt":"2026-01-29T11:00:00","slug":"long-running-north-korea-threat-group-splits-into-3-distinct-operations","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2026\/01\/29\/long-running-north-korea-threat-group-splits-into-3-distinct-operations\/","title":{"rendered":"Long-running North Korea threat group splits into 3 distinct operations"},"content":{"rendered":"