CrowdStrike’s tracking separates Labyrinth Chollima activity into core Labyrinth Chollima for espionage and the Golden Chollima and Pressure Chollima clusters for cryptocurrency theft, with shared origins in Kordll, Hawup, and related tooling. Golden Chollima is described as pursuing steady smaller-scale cryptocurrency theft through Jeus and Applejeus variants, malicious Python packages, recruitment fraud, cloud IAM manipulation, Chromium zero-days, Snakebaker, and Nodalbaker. Pressure Chollima is linked to larger cryptocurrency heists and sophisticated implants including Swdownloader, Sparkdownloader, Scuzzyfuss, and Twopence Electric delivered through malicious Node.js and Python projects. Core Labyrinth Chollima is framed as an espionage actor targeting manufacturing, defense, aerospace, logistics, shipping, and critical infrastructure, using Hoplight-lineage tooling, Fudmodule, vulnerable driver exploitation, Chrome and Windows zero-days, and messaging-platform social engineering.