CrowdStrike profiles STARDUST CHOLLIMA as a targeted intrusion adversary with a likely DPRK nexus and a primary focus on generating funds through operations against financial institutions. The activity includes past campaigns abusing SWIFT systems and intrusions into global banking networks through strategic web compromise. The actor uses implants sharing the TwoPence code framework and applies evasion measures such as Enigma-protected code, password-protected executables, and secure deletion functions to remain hidden for long periods. CrowdStrike also notes suspected targeting of Latin America-based organizations since mid-2017 and technical similarities among WannaCry, Hawup variants, and TwoPence-based tools that may indicate shared DPRK development resources.