New analysis published by CrowdStrike suggests that a long-tracked North Korean cyber operation known as LABYRINTH CHOLLIMA has undergone a structural reorganisation, splitting into three distinct but coordinated threat groups with specialised roles.
According to the research, the original LABYRINTH CHOLLIMA operation now functions alongside two new adversaries, labelled GOLDEN CHOLLIMA and PRESSURE CHOLLIMA. CrowdStrike assesses that the three groups operate as separate organisational units with their own objectives, malware toolsets and operational tempo, while remaining linked through shared infrastructure and tradecraft. The shift represents a deliberate evolution in how the DPRK conducts cyber operations, enabling multiple strategic priorities to be pursued in parallel.
The most significant change is the formal separation between financially motivated activity and espionage. GOLDEN CHOLLIMA and PRESSURE CHOLLIMA are assessed to focus primarily on cryptocurrency platforms and financial entities, operating at scale to generate revenue for the regime. These campaigns reflect the continued reliance on cyber-enabled theft as a means of funding state priorities under international sanctions, with operations characterised by high transaction volumes and rapid exploitation cycles.
By contrast, the core LABYRINTH CHOLLIMA group continues to prioritise espionage, with targeting concentrated on industrial, logistics and defence-related organisations. These operations are assessed to be longer-term in nature, focused on intelligence collection and strategic positioning rather than immediate financial gain.
Despite the functional separation, CrowdStrike notes that all three adversaries share malware families, infrastructure and operational techniques. This overlap strongly suggests centralised coordination within the DPRK cyber ecosystem rather than independent criminal activity. From a risk perspective, this structure allows North Korea to reuse proven tools while flexibly allocating resources across revenue generation, intelligence collection and strategic disruption.
For cyber risk leaders, the findings reinforce the need to move beyond simple threat actor labels and toward a deeper understanding of adversary operating models. The same organisation may now face different DPRK-linked threats with distinct motivations, attack timelines and impact profiles, even when technical indicators appear similar.
The evolution also has implications for incident response and attribution. Shared infrastructure and malware may obscure the underlying objective of an intrusion, increasing the risk of misjudging intent during early stages of an attack. Financial institutions, cryptocurrency platforms, defence suppliers and industrial operators remain particularly exposed, but the research highlights how threat convergence can blur traditional sector boundaries.
As nation-state cyber programs continue to mature, the fragmentation and specialisation of adversary groups is likely to become more common. For boards and executive teams, the key lesson is that geopolitical cyber risk is no longer monolithic. It is adaptive, modular and increasingly optimised to deliver strategic outcomes at speed, often under the cover of familiar technical signatures.
