Home/ Threat Actors/ Famous Chollima

🇰🇵Famous Chollima

🇰🇵 Famous Chollima is a tracked threat actor in the Clankerusecase corpus. Attributed to KP. Primary motivation: State. We map 14 detection use cases to this actor across 34 MITRE ATT&CK techniques, with 1 threat-intel article citing them. Active in our corpus from 2026-06-11 to 2026-06-11.

crit 1

View full actor card → All threat actors

14Use cases

1Articles

34Techniques

0IOCs

Known aliases

Famous Chollima

Top techniques

T1021.001 · Remote Desktop Protocol T1021.002 · SMB/Windows Admin Shares T1027 · Obfuscated Files or Information

All other tracked techniques

T1003 · OS Credential Dumping T1003.001 · LSASS Memory T1059.001 · PowerShell T1059.005 · Visual Basic T1059.006 · Python T1059.007 · JavaScript T1071.001 · Web Protocols T1071.004 · DNS T1098.001 · Additional Cloud Credentials T1102.002 · Bidirectional Communication T1105 · Ingress Tool Transfer T1176 · Software Extensions T1190 · Exploit Public-Facing Application T1195.001 · Compromise Software Dependencies and Development Tools T1195.002 · Compromise Software Supply Chain T1204.001 · Malicious Link T1204.002 · Malicious File T1204.004 · Malicious Copy and Paste T1218 · System Binary Proxy Execution T1219 · Remote Access Tools T1486 · Data Encrypted for Impact T1528 · Steal Application Access Token T1539 · Steal Web Session Cookie T1555.003 · Credentials from Web Browsers T1566 · Phishing T1566.001 · Spearphishing Attachment T1566.002 · Spearphishing Link T1566.004 · Spearphishing Voice T1569.002 · Service Execution T1574.002 · T1574.002 T1588.001 · Malware

Detection use cases (14)

Famous Chollima Contagious Interview — node.exe / npm spawning Python or curl with BeaverTail → InvisibleFerret loader strings AI · profile SΣDD Famous Chollima IT Worker scheme — multiple remote-control agents (AnyDesk + Chrome Remote Desktop + RustDesk) co-installed on a single deve AI · profile SDD Miasma worm GitHub commit-search C2 magic strings on command line or script Bespoke Miasma supply-chain worm leaked repo clone, install or fetch Bespoke Beaconing — periodic outbound to small set of destinations Internal Suspicious browser extension installation Internal Infostealer — non-browser process accessing browser cookie/login DBs Internal Phishing-link click correlated to endpoint execution Internal Email attachment opened from external sender Internal Office app spawning script/LOLBin child process Internal Remote service execution — PsExec / SMB lateral movement Internal Microsoft Teams external-tenant chat from unverified IT-helpdesk impersonator Internal RMM tool installed by non-IT user — remote-access utility for hands-on-keyboard Internal OAuth consent / suspicious app grant Internal

Threat-intel articles (1)

crit Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories · 2026-06-11