【要点】
◎CrowdStrikeはLABYRINTH CHOLLIMAが3組織へ分化と再整理。中核は諜報、GOLDEN/PRESSUREは暗号資産窃取に特化し、ツール共有で集中調整も示唆 ((Crowdstrike)
【訳】
LABYRINTH CHOLLIMAが三体の敵へと進化する
【図表】
図1. KorDLLマルウェアフレームワークの進化
図2. LABYRINTH CHOLLIMAの後継者
出典: https://www.crowdstrike.com/en-us/blog/labyrinth-chollima-evolves-into-three-adversaries/
【要約】
CrowdStrikeは、2009年頃のKorDLL系統を起源とするLABYRINTH CHOLLIMAが、2018年以降に目的別の3組織へ進化したと分析。中核LABYRINTHは製造・物流・防衛などへの諜報を担い、求人誘引やWhatsApp経由のZIP配布なども用いる。GOLDEN CHOLLIMAはJeus/AppleJeus等のツール群で暗号通貨・フィンテックを狙い、クラウドIAM侵害から送金に至る事例も。PRESSURE CHOLLIMAは高額案件に特化し、SparkDownloader(TraderTraitor)系や悪性Node.js/Pythonプロジェクト経由で高度なインプラントを展開し、史上最大級の窃盗に関与したとされる。3者はインフラ/ツールを相互流用し統一的な資源配分を示唆。対策は求人・外部連絡の検証、依存関係検査、クラウドIAM最小権限と監視、優先パッチが要点。
【ブログ】
◆LABYRINTH CHOLLIMA Evolves into Three Adversaries (Crowdstrike, 2026/01/29)
[ラビリンス・チョリマが三体の敵へと進化する]
https://www.crowdstrike.com/en-us/blog/labyrinth-chollima-evolves-into-three-adversaries/
| Malware | Attribution | Exemplar SHA256 Hash |
|---|---|---|
| Dozer | LABYRINTH CHOLLIMA | 7dee2bd4e317d12c9a2923d0531526822cfd37eabfd7aecc74258bb4f2d3a643 |
| Brambul | LABYRINTH CHOLLIMA | d2359630e84f59984ac7ddebdece9313f0c05f4a1e7db90abadfd86047c12dd6 |
| Joanap | LABYRINTH CHOLLIMA | 4fe3c853ab237005f7d62324535dd641e1e095d1615a416a9b39e042f136cf6b |
| KorDLL Bot | LABYRINTH CHOLLIMA | 73edc54abb3d6b8df6bd1e4a77c373314cbe99a660c8c6eea770673063f55503 |
| Koredos | LABYRINTH CHOLLIMA | a795964bc2be442f142f5aea9886ddfd297ec898815541be37f18ffeae02d32f |
| Hawup RAT | LABYRINTH CHOLLIMA | 453d8bd3e2069bc50703eb4c5d278aad02304d4dc5d804ad2ec00b2343feb7a4 |
| Hoplight | LABYRINTH CHOLLIMA | 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461 |
| Manuscrypt | LABYRINTH CHOLLIMA | dced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156 |
| HTTPHoplight | LABYRINTH CHOLLIMA | ceccb2339088fa2d6337082704bbf67f84eeb0d0b60ce5ab0ab7e1824002fa4c |
| OpenSSL Downloader | LABYRINTH CHOLLIMA | f749c7e84809ffc3939eaed06ad90e15b0e11375f98d7348c0aa1bf35d3f0b8e |
| UnderGroundRAT | LABYRINTH CHOLLIMA | f9586fdf4e0a65b17ee32bc3c3f493a055409abde373720d594d27fd24adffa0 |
| NedDnLoader | LABYRINTH CHOLLIMA | 512877c98fd83cd51bb287da4462b44f9d276d7ce51890f4ded1b915a6d2d5e1 |
| Stackeyflate | LABYRINTH CHOLLIMA | d2e743216d17e97c8d1913d376d46095b740015f26a3c62a05e286573721d26c |
| HiberRAT | LABYRINTH CHOLLIMA | 58f2972c6a8fc743543f7b8c4df085c5cf2c6e674e5601e85eec60cd269cfb3c |
| WinWebDown | LABYRINTH CHOLLIMA | fc885b323172106ab6f2f0cc77b609987384a38e3af41ad888d5389610d29daf |
| FudModule | LABYRINTH CHOLLIMA, GOLDEN CHOLLIMA | cbd1634cf7c638f2faf5e3ec79137db6704ec9de8df798fc46aeeed38de3da9b |
| Scuzzyfuss | PRESSURE CHOLLIMA | b9f6a9d4f837f5b8a5dc9987a91ba44bc7ae7f39aa692b5b21dba460f935a0ae |
| MataNet | PRESSURE CHOLLIMA | 357c9daf6c4343286a9a85a27bc25defdc056877ce1be2943d2e8ede3bce022c |
| SwDownloader | PRESSURE CHOLLIMA | a61ecbe8a5372c85dcf5d077487f09d01e144128243793d2b97012440dcf106e |
| SparkDownloader | PRESSURE CHOLLIMA | 9ba02f8a985ec1a99ab7b78fa678f26c0273d91ae7cbe45b814e6775ec477598 |
| TwoPence Electric | PRESSURE CHOLLIMA | 081804b491c70bfa63ecdbe9fd4618d3570706ad8b71dba13e234069648e5e48 |
| MagikCookie | PRESSURE CHOLLIMA | 1579347265f948f9646931335d57e7960fe65dd429394be84b4ae15bca73dfde |
| StatusSymbol | PRESSURE CHOLLIMA | 666c50b8b772101b0e2e35ff1de52a278c2727027b54858e457571d296fec50b |
| GhostShip | PRESSURE CHOLLIMA | 56e51244e258c39293463c8cf02f5dddb085be90728fab147a60741cf014aa4d |
| AlertConf | PRESSURE CHOLLIMA | e0aa5ef3af26681a8c8b46d95656580779d0ff3c2fe531b95a59ee918686e443 |
| Jeus | GOLDEN CHOLLIMA | fe948451df90df80c8028b969bf89ecbf501401e7879805667c134080976ce2e |
| HTTPHelper | GOLDEN CHOLLIMA | ff32bc1c756d560d8a9815db458f438d63b1dcb7e9930ef5b8639a55fa7762c9 |
| SnakeBaker | GOLDEN CHOLLIMA | b6995c31a7ee88392fc25fd6d1a3a7975b3cb4ec3a9a318c3fcfaaf89eb65ce1 |
| NodalBaker | GOLDEN CHOLLIMA | 0518a163b90e7246a349440164d02d10f31d514a7e5cce842b6cf5b3a0cc1bfa |
| PipeDown | GOLDEN CHOLLIMA | 2ef212f433b722b734d80b41a2364a41ca0453dbfe3e6ec8b951eca795075a02 |
| DevobRAT | GOLDEN CHOLLIMA | fde50c3a373ebc2661e08c99c1cb50dc34efc022a3880c317ab5b84108ef83aa |
| Anycon | GOLDEN CHOLLIMA | 2110a6e89d98a626f846ec8deccbac057300d194933ae0cbf1ef4831a4cc829e |
| CitriLoader | GOLDEN CHOLLIMA | d0cf9c1f87eac9b8879684a041dd6a2e1a0c15e185d4814a51adda19f9399a9b |
【関連まとめ記事】
◆全体まとめ
◆攻撃組織 / Actor (まとめ)
◆標的型攻撃組織 / APT (まとめ)
◆Lazarus (まとめ)
https://malware-log.hatenablog.com/entry/Lazarus
