Introduction
Silent Chollima, or APT45, also called Onyx Sleet, is one of North Korea’s most sophisticated and adaptable advanced persistent threat actors. The group fuses espionage activities with financially motivated operations, illustrating the shift in state-sponsored cyber activities from espionage into using intelligence collection, financial theft, and disruption as instruments of power. Emergent around 2013, Silent Chollima has targeted governmental entities, critical infrastructure, and the global financial system – representing a strategic asset to Pyongyang’s cyber capabilities. During 2024 and 2025, the group ramped up attacks against the healthcare sector, defense sector, and against cryptocurrency entities, utilizing both bespoke malware and legitimate tools to maintain their stealth. Silent Chollima fits into North Korea’s larger cyber strategy of mitigating the impacts of sanctions through either generating revenue for sanctioned programs, or acquiring intelligence on its adversaries.
Identity & Motivation
The term Silent Chollima is associated with the Democratic People’s Republic of Korea (DPRK). Chollima is taken from Korean myth and refers to a horse that flies over 1,000 li in a day (Korean mile), which is a fitting name for a team known for speed, adaptability, and a far reach in cyberspace.
The group’s primary objectives can be organized in two categories.:
1. Espionage: Collection of strategic intelligence from nation’s governments, defense contractors, and think tank organizations.
2. Financial Gain: Thievery (stealing money, cryptocurrencies) as part of help North Korea escape sanctions and materially support national programs, including nuclear weapons and missile programs.
Silent Chollima is different from other DPRK-affiliated teams, which mostly focus only on financial theft, in that they do act as a hybrid. Silent Chollima switches between espionage jobs and money-making efforts based, especially on the government’s political lines, needs, and economic needs.
TTPs: Methods, Tools, and Access Strategies
Silent Chollima adopts a combination of traditional APT techniques and unique approaches to target high-value victims.
– Initial Access: The group carries out spear-phishing campaigns with malicious links or fake job offers that appear to be recruitment-related, such as impersonating a recruiter or reputable organizations. The group also exploits vulnerabilities in VPNs and web applications.
– Persistence: Once inside a network, Silent Chollima persists with scheduled tasks, register changes, and custom malware families.
– Command and Control (C2): Instead of using questionable traffic and C2 communications over typical protocols and connections, the group tunnels C2 communications over HTTPS or through legitimate cloud services, including Dropbox or OneDrive.
– Malware Arsenal: Silent Chollima utilizes tools including DTrack, Maui ransomware, and KEYMARBLE to harvest credentials, conduct reconnaissance and encrypt files. These tools may also be connected to DPRK-linked operations, especially to those associated with the well-known Lazarus group of operations.
– Techniques: Silent Chollima relies extensively on living-off-the-land tactics, using PowerShell, CertUtil, and Windows Management Instrumentation (WMI) to avoid detection. In addition, Silent Chollima utilizes lateral movement utilizing SMB and RDP to escalate privileges and successfully exfiltrate data.
Overall, this evolution in techniques exemplifies a much more sophisticated trend in ATTACK – originating from traditional phishing to more complex, layered attacks that combined ransomware with intrusion and espionage.
Notable Operations
Silent Chollima’s operations are indicative of North Korea’s shifting focus and the impact of global events.
– 2018: DTrack Campaign – The group was engaged in a major infiltration campaign involving Indian financial institutions targeted at ATMs. It exhibited some technical overlap with Lazarus, and also established Silent Chollima’s presence in the North Korean cyber threat landscape.
– 2021: Healthcare Sector Infiltrations – During the COVID-19 pandemic, Silent Chollima would engage with hospitals and vaccine research laboratories to steal sensitive biomedical information and exploit healthcare networks for profit.
– 2023: Maui Ransomware – In 2023, the U.S. Department of Justice linked ransomware attacks on the healthcare sector to APT45, marking a notable pivot toward disruptive cybercrime.
– 2024: Credential Theft Campaigns – Using spear-phishing campaigns and known VPN vulnerabilities, it breached a variety of defense and technology contractors in the United States and South Korea.
– 2025: Cryptocurrency – Continuing its model of finance-driven cybercrime, Silent Chollima orchestrated large-scale thefts from cryptocurrency exchanges and used laundering techniques through mixers and decentralized platforms to conceal the stolen funds.
In every case presented, the group’s stated criminal intent is displayed along with the duality of operations through similar technical methods used to be instrumental in both espionage and cybercrime.
Recent Developments (2024–2025)
Recent developments indicate a significant growth in the ability and reach of Silent Chollima. Reports from ESET, Check Point, and CrowdStrike indicate that the group has developed cloud requirements-related persistence, using legitimate credentials as a basis to avoid detection. Through the use of trusted cloud services, and stolen identity tokens, Silent Chollima is able to maintain persistence even after common incident response efforts.
Simultaneously, the use of ransomware has also evolved. Rather than pursuing mass infection options, the group is now focused on targeting organizations that will produce either high financial gain, or intelligence value, reflecting a wider North Korean trend where APT actors are increasingly combining espionage efforts with ransomware techniques.
Silent Chollima has also demonstrated interest in supply chain manipulation. In late 2024, the group compromised software updates meant to install malware on downstream clients, similar to Russian and Chinese APT actions. These hybrids suggest possible knowledge sharing and/or efforts to develop similar hybrid capabilities among state actors.
Strategic Impact and Implications
Silent Chollima exemplifies a snapshot of contemporary state-sponsored threats that combine cybercrime and cyber espionage. This dual-purpose method makes it more difficult for policymakers to identify attribution and a response. For example, a financially motivated ransomware attack may result in intelligence gains or even fund a national imperative.
From a defense perspective, Silent Chollima’s effectiveness exposes vulnerabilities in organizations that rely on unpatched systems, substandard credential management, and limited monitoring of cloud services. The combination of espionage and crime requires defenders to view financially oriented intrusions as possible state-sponsored attacks, which complicates traditional responses.
In addition, the group’s sustained attacks on healthcare and financing represent a systemic risk. By incapacitating hospital networks or exploiting financial platforms, additional disruptions may achieve greater consequences for the DPRK.
Conclusion & Defensive Takeaways
Silent Chollima (APT45/Onyx Sleet) is now one of North Korea’s most effective cyber teams. Its combination of stealth, versatility, and dual, if not mixed objectives make it a notable threat to both public and private industries. The past ten years of activity reflect a clear trend; North Korea is adeptly evolving its cyber capabilities to advance strategic and financial objectives while maintaining plausible deniability.
Defensive Assessment:
– Utilize zero-trust architecture, ongoing, and privilege management.
– Update supporting technologies such as VPN, remote access solutions, and externally-exposed applications.
– Maintain awareness of suspicious behavior in cloud environments and legitimate file-sharing sites.
– Threat hunt against DPRK malware signatures such as Maui, DTrack, and KEYMARBLE.
– Increase user awareness campaigns to decrease the effectiveness of phishing and social engineering efforts.
The successful operation of Silent Chollima is due to its ability to adapt faster than its targets. Acquisition of information regarding its operational methodologies is the first step in mitigating the impact of one of the most adaptive and aggressive groups currently operating on the world stage.
You can download and review the sheet for all the details!
