Riding_with_the_Chollimas.pdf (8 MB)

Riding with the Chollimas describes a 2023 investigation into QRLOG, a simple homemade RAT bundled inside a fake QR generator and later attributed by CrowdStrike with high confidence to Labyrinth Chollima. The malware hid base64-encoded code in a variable named QUIET_ZONE_DATA and opened a reverse shell, with public IOCs including auth.pxaltonet[.]org and git-hub[.]me infrastructure. The researchers used CTI and OSINT to connect the C2 to DPRK-linked activity, then simulated contact with the actor and observed nearly 1,500 SSH brute-force attempts against the machine used for outreach. The deck is useful because it shows how a low-complexity implant, infrastructure overlap, and adversary response behavior supported attribution.