CrowdStrike OverWatch observed SILENT CHOLLIMA activity inside a pharmaceutical organization after suspicious reconnaissance was launched through Smbexec under a Windows service account. The actor copied and executed low-prevalence binaries that CrowdStrike Intelligence identified as an updated Export Control dropper variant unique to SILENT CHOLLIMA. Follow-on tooling included GifStealer, which ran host and network reconnaissance commands and archived the output, and Valefor, a RAT used for file transfer and data collection. The intrusion also used Windows service creation for reboot persistence, placed tools and archived data in legitimate local directories, and removed evidence by deleting GifStealer archives and overwriting the binary. The case matters because expanded endpoint visibility exposed six additional compromised hosts and enabled containment of DPRK-linked activity that began from a system without sensor coverage.