Famous Chollima is a North Korean state-sponsored cyber threat actor active since at least 2018. The group is known for infiltrating organizations by posing as legitimate remote IT workers, enabling both revenue generation for the North Korean regime and cyber espionage activities.
The group is also tracked under several aliases, including:
- NickelTapestry
- PurpleBravo
- TenaciousPungsan
- UNC5267
- VoidDokkaebi
- WaterPlum
- BadClone
Unlike traditional external threat actors, Famous Chollima infiltrates organizations from within by securing remote IT roles using fraudulent identities, fabricated resumes, and counterfeit qualifications. This approach allows the group to gain trusted access to internal systems while avoiding many conventional detection methods.
Real-Time Intelligence on Famous Chollima Activity
ThreatConnect’s (now a part of Dataminr) Famous Chollima Intelligence Dashboard provides security teams with centralized, real-time intelligence on Famous Chollima activity. The dashboard aggregates intelligence from multiple sources to help analysts monitor evolving infrastructure, track adversary behavior, and support faster operational response.
Key benefits include:
- Centralized Intelligence — Compiles Famous Chollima-specific indicators of compromise (IoCs), tactics, techniques, and procedures (TTPs), and related intelligence from open-source reporting, threat feeds, and internal telemetry.
- Real-Time Threat Tracking — Provides continuous visibility into Famous Chollima infrastructure, victimology trends, and newly observed techniques associated with the group.
- Accelerated Investigation and Response — Supports faster triage and operational response through enriched intelligence and contextual analysis tied to adversary activity.
- Customizable Reporting and Visualization — Delivers interactive visualizations, campaign timelines, and executive-ready reporting tailored to the evolving Famous Chollima threat landscape.
- Automated Correlation Across Intelligence Sources — For organizations integrated with defensive technologies, automated workflows can correlate Famous Chollima-related IoCs against broader intelligence datasets, adversary profiles, and emerging threat activity to support prioritization and risk mitigation.
By leveraging the Famous Chollima Intelligence Dashboard, organizations can strengthen threat visibility, improve response speed, and better understand evolving nation-state activity tied to insider infiltration and cyber espionage operations.
Note: Organizations may require integrations with premium or commercial intelligence providers such as Mandiant, Recorded Future, or CrowdStrike to fully operationalize the dashboard and enrich analysis workflows.
Dashboard Components
The dashboard includes visibility into:
- Indicators associated with Famous Chollima activity added after January 2024
- Breakdown of intelligence sources associated with those indicators
- Related vulnerabilities, malware, campaigns, and intrusion activity
- Reports tied to Famous Chollima and related aliases
- MITRE ATT&CK® techniques associated with Famous Chollima activity
- Common tags and operational themes associated with related intelligence objects
- Threat actors associated with Chollima-linked aliases
- Intelligence source breakdowns tied to associated threat actors
- Techniques and TTPs connected to Famous Chollima operations
Further Resources
For additional reporting and analysis related to Famous Chollima activity, refer to the following resources:
- Trend Micro: Research and analysis related to North Korean cyber operations and Famous Chollima activity
- CrowdStrike: Reporting and case studies tied to adversary activity and operational trends
It’s important to remain vigilant against insider infiltration tactics and evolving nation-state tradecraft. Strengthening visibility across identity, operational behavior, and threat intelligence workflows is increasingly critical as these campaigns continue to evolve.
To gain access to the Famous Chollima Intelligence Dashboard, please contact your Customer Success representative.
