← Back to Cybersecurity News Center
Severity
HIGH
CVSS
9.5
Priority
1.000
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
CrowdStrike's 2026 Financial Services Threat Landscape Report documents a coordinated, multi-actor assault on global financial institutions, with DPRK-affiliated groups stealing $2.02 billion in digital assets, a 51% year-over-year increase, while eCrime groups named 423 financial entities on ransomware leak sites and China-nexus actors conducted parallel intelligence collection operations. Hands-on-keyboard intrusions across the sector rose 43% year-over-year, driven by accelerating adversary breakout speeds and identity-focused attack paths that bypass traditional perimeter defenses. This report signals a structural shift: financial institutions now face simultaneous pressure from state-sponsored theft, espionage, and organized cybercrime, outpacing reactive defense models built for single-vector threats.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity — prioritize for investigation
Actor Attribution
HIGH
Lazarus Group (DPRK-nexus), Scattered Spider (eCrime)
TTP Sophistication
HIGH
17 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Financial institutions, cryptocurrency exchanges, fintech platforms, insurance entities, Microsoft 365 environments
Are You Exposed?
⚠
Your industry is targeted by Lazarus Group (DPRK-nexus), Scattered Spider (eCrime) → Heightened risk
⚠
You use products/services from Financial institutions → Assess exposure
⚠
17 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
The $2.02 billion in DPRK-attributed cryptocurrency theft and the naming of 423 financial entities on ransomware leak sites represent direct revenue and liquidity risk for institutions operating in digital asset markets, fintech, and insurance — not theoretical exposure. Regulatory bodies including FinCEN, the SEC, and international equivalents are increasingly scrutinizing financial institutions' cyber resilience as a prudential risk factor, meaning a successful intrusion carries compounding consequences: operational disruption, customer notification obligations, and heightened supervisory attention. The 43% increase in hands-on intrusions signals that adversary dwell time and adaptability are outpacing the detection and response timelines most institutions have budgeted for, making the cost of delayed investment in identity and supply chain security measurably higher than the cost of proactive remediation.
You Are Affected If
Your organization operates as a cryptocurrency exchange, digital asset custodian, or fintech platform with direct exposure to crypto liquidity pools or wallet infrastructure
Your institution uses Microsoft 365 for enterprise collaboration and has external identity federation, third-party OAuth app grants, or help desk password reset processes without strong secondary verification
Your organization employs remote contractors or vendors onboarded without in-person identity verification — a direct exposure path for FAMOUS CHOLLIMA insider placement
Your software supply chain includes third-party financial software vendors or open-source dependencies without integrity verification at build or deployment time (CWE-494, CWE-426)
Your institution operates in or provides correspondent banking, trade finance, or debt services to developing market economies targeted by China-nexus intelligence collection
Board Talking Points
State-sponsored actors tied to North Korea stole $2.02 billion from financial institutions this year — a 51% increase — using identity theft and supply chain attacks that bypass conventional security controls.
We recommend an immediate audit of our MFA implementation, help desk verification procedures, and software supply chain integrity controls, with findings reported to the security committee within 30 days.
Institutions that delay investment in identity-focused defenses face compounding risk: adversaries are moving faster than reactive programs can respond, and regulators are beginning to treat cyber resilience as a direct measure of institutional soundness.
GLBA / Safeguards Rule — financial institutions subject to FTC or federal banking regulator oversight must implement specific safeguards for customer financial data; intrusions involving credential theft and session hijacking directly implicate Safeguards Rule compliance obligations
DORA (EU Digital Operational Resilience Act) — EU-regulated financial entities face mandatory ICT risk management, incident reporting, and third-party oversight requirements directly applicable to the supply chain and identity intrusion patterns documented in this report
NYDFS Part 500 (23 NYCRR 500) — New York-regulated financial institutions must maintain MFA for all privileged accounts and report material cybersecurity events within 72 hours; the MFA bypass and session hijacking TTPs in this report directly test Part 500 compliance
OFAC Sanctions Compliance — any institution processing cryptocurrency transactions should assess exposure to DPRK-linked wallets; OFAC has sanctioned specific Lazarus Group-associated addresses, and inadvertent transaction processing carries enforcement risk
Technical Analysis
CrowdStrike's 2026 Financial Services Threat Landscape Report presents a sector under sustained, multi-vector siege from three distinct adversary categories operating with increasing speed and sophistication.
DPRK-nexus actors, including Lazarus Group affiliates and FAMOUS CHOLLIMA, drove the most financially damaging campaigns.
Their $2.02 billion in digital asset theft, up 51% year-over-year, reflects a deliberate strategic mission: cryptocurrency and fintech platforms serve as sanctions-evasion infrastructure for the North Korean state.
These actors combined supply chain compromise (T1195 , T1195.002 ) with credential theft and MFA bypass (T1621 , T1550.001 , CWE-287) to gain initial access, then used living-off-the-land tradecraft and legitimate remote access tooling (T1021.001 , T1133 ) to persist and exfiltrate. The 43% increase in hands-on-keyboard intrusions reflects adversaries moving past automated tooling toward interactive sessions that evade behavior-based detections tuned for scripted attack patterns.
FAMOUS CHOLLIMA's insider threat tradecraft, placing operatives inside financial firms as remote employees, represents a particularly difficult detection problem. This vector exploits hiring processes, not technical controls, and maps directly to T1586 (Compromise Accounts) and T1657 (Financial Theft), with CWE-287 (Improper Authentication) as the underlying weakness when identity verification fails at onboarding.
ECrime actors, notably Scattered Spider, targeted Microsoft 365 environments and financial sector identity infrastructure with social engineering-led intrusion chains. Scattered Spider's hallmark is voice phishing and SMS-based MFA fatigue attacks (T1621 ) that bypass hardware token controls by targeting help desk operators directly. Session hijacking (T1539 ) and cookie theft follow successful social engineering, enabling lateral movement without password compromise. The group's targeting of 423 named financial entities on ransomware leak sites, not all confirmed as successful breaches, indicates a broad targeting posture and willingness to pressure victims publicly before ransom payment.
China-nexus adversaries pursued a different objective: intelligence collection against developing market financial infrastructure. CrowdStrike did not attribute these operations to a specific named actor in the summary data provided. The observed targeting pattern - financial entities in emerging economies rather than direct theft - is consistent with publicly disclosed Chinese government interests in Belt and Road financial infrastructure, though attribution is inferred from targeting, not from technical or operational indicators. Techniques observed include phishing (T1566 ), exploitation of public-facing applications (T1190 ), and data archival before exfiltration (T1560 ).
Across all three adversary categories, the report identifies identity as the primary attack surface. Credential theft, MFA bypass, session hijacking, and valid account abuse (T1078 ) collectively represent the dominant intrusion pathway. CWE-494 (Download of Code Without Integrity Check) and CWE-426 (Untrusted Search Path) appear in supply chain-linked intrusions, consistent with DPRK tradecraft observed in prior cryptocurrency platform compromises. AI-assisted social engineering, generating convincing synthetic personas, scripted vishing calls, and tailored spearphishing content, is cited as a compounding factor accelerating the effectiveness of identity-focused attacks.
The report's core defensive implication: controls optimized for known-malware detection and network-perimeter blocking are structurally mismatched against adversaries who authenticate legitimately, move interactively, and adapt in real time. Identity governance, behavioral detection in authentication pipelines, and insider threat programs are no longer optional capabilities for financial institutions.
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate to CISO, legal counsel, and external IR retainer immediately if any of the following are confirmed: (1) M365 OAuth token issued to unrecognized service principal with Microsoft Graph Mail.Read or Files.ReadWrite scope — indicator of Lazarus-style T1550.001 session hijacking; (2) remote employee VPN source IP resolves to DPRK, Chinese, or known FAMOUS CHOLLIMA proxy infrastructure; (3) outbound transfer of cryptocurrency assets to addresses on OFAC SDN list — triggers mandatory SAR filing with FinCEN within 30 days under 31 CFR 1020.320; (4) EDR alert on any endpoint touching crypto custody systems matching Lazarus Group process injection or BlindingCan/BLINDINGCAN implant signatures.
1
Step 1: Assess exposure, inventory all cryptocurrency custody, trading, and fintech platform integrations; identify any Microsoft 365 tenant exposure to external identity federation or third-party app grants that could be abused for session hijacking
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: Establish IR capability, asset visibility, and pre-incident resource mapping aligned to CSF [GV, ID, PR] functions
NIST IR-4 (Incident Handling) — implement handling capability with preparation as foundational phase
NIST SI-4 (System Monitoring) — establish visibility into M365 OAuth app grants and federation trust relationships
CIS 1.1 (Establish and Maintain Detailed Enterprise Asset Inventory) — enumerate all crypto custody endpoints, trading platform API integrations, and fintech connectors
CIS 2.1 (Establish and Maintain a Software Inventory) — catalog third-party M365 app registrations and delegated permission scopes
Compensating Control
Run the free Microsoft 365 'EntraID App Audit' via PowerShell: Connect-MgGraph; Get-MgServicePrincipal -All | Where-Object {$_.KeyCredentials -or $_.PasswordCredentials} | Select DisplayName, AppId, SignInAudience | Export-Csv m365_app_audit.csv. For on-premises crypto platform integrations, use osquery with query 'SELECT * FROM listening_ports WHERE port IN (8332,8333,30303,9000)' to fingerprint blockchain node listeners. Cross-reference against CIS 1.1 asset inventory.
Preserve Evidence
Before remediating M365 app grants, preserve: Azure AD Audit Logs (AuditLogs table in Log Analytics) filtering on 'Add OAuth2PermissionGrant' and 'Consent to application' operations; M365 Unified Audit Log entries for 'Add service principal credentials' events; EntraID Sign-in Logs filtered on ServicePrincipalSignIns for non-interactive auth with resource = 'Microsoft Graph' (indicator of token abuse by Lazarus-style implants); exported JSON of all OAuth2PermissionGrants via MS Graph API GET /oauth2PermissionGrants before any revocation action.
2
Step 2: Review controls, audit MFA implementation across all privileged and customer-facing access paths; verify help desk identity verification procedures cannot be bypassed via voice phishing or SMS; confirm EDR coverage on all endpoints with access to financial transaction systems; validate software supply chain integrity checks (code signing, dependency verification) to address CWE-494 and CWE-426
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: Pre-incident control validation and gap remediation to reduce dwell time when Scattered Spider or FAMOUS CHOLLIMA TTPs are employed against identity and supply chain entry points
NIST IA-3 (Device Identification and Authentication) — enforce phishing-resistant MFA (FIDO2/passkeys) not bypassable via SS7 or voice social engineering used by Scattered Spider
NIST SI-7 (Software, Firmware, and Information Integrity) — enforce code signing verification and dependency hash checking to counter CWE-494 (Download of Code Without Integrity Check) and CWE-426 (Untrusted Search Path) exploited in supply chain intrusions
NIST SI-2 (Flaw Remediation) — validate patch state of all endpoints in financial transaction processing paths
CIS 6.3 (Require MFA for Externally-Exposed Applications) — enforce MFA on all customer-facing and privileged access paths; SMS OTP is insufficient against Scattered Spider SIM-swap capability
CIS 6.5 (Require MFA for Administrative Access) — require phishing-resistant MFA for all admin accounts, specifically M365 Global Admin and privileged identity management roles
CIS 7.1 (Establish and Maintain a Vulnerability Management Process) — include supply chain dependency scanning in vuln management scope
Compensating Control
For help desk bypass validation: conduct tabletop simulation where red team calls help desk posing as executive requesting MFA reset — document whether out-of-band identity verification (manager callback, government ID, hardware token possession) is enforced. For supply chain integrity without enterprise tooling: implement 'pip-audit' for Python dependencies and 'npm audit' for Node.js; use OSSEC or Wazuh (free) file integrity monitoring on directories containing trading platform binaries with SHA-256 baseline hashing via 'sha256sum -c checksums.txt' in cron. For EDR gap identification: run Sysmon with SwiftOnSecurity config and validate coverage by checking 'Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational' returns events from all endpoints touching payment rails.
Preserve Evidence
Preserve before audit: Windows Security Event Log Event ID 4625 (Failed Logon) and 4648 (Explicit Credential Logon) from help desk workstations and IT admin systems — Scattered Spider pivots through compromised help desk accounts; M365 MFA registration events from EntraID Audit Log ('User registered security info' operations) to identify accounts with only SMS MFA enrolled; Sysmon Event ID 11 (File Create) logs from software build directories and deployment pipelines to establish baseline for supply chain tampering detection; npm/pip dependency lock files (package-lock.json, requirements.txt) current state before any remediation for forensic comparison if a supply chain compromise is later discovered.
3
Step 3: Update threat model, add Lazarus Group, FAMOUS CHOLLIMA, and Scattered Spider TTPs to your threat register; map T1621 (MFA Request Generation), T1550.001 (Pass the Cookie), T1539 (Steal Web Session Cookie), and T1195.002 (Compromise Software Supply Chain) against your current detection coverage gaps
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: Threat modeling and detection engineering prerequisite to DE.AE-07 (integrate CTI into adverse event analysis) and DE.AE-02 (analyze potentially adverse events with threat context)
NIST RA-3 (Risk Assessment) — formally assess likelihood and impact of Lazarus Group and Scattered Spider TTPs against your specific crypto custody and M365 environment
NIST SI-5 (Security Alerts, Advisories, and Directives) — ingest CISA advisories on DPRK financial sector operations (AA24-038A and related) as authoritative TTP source
NIST IR-8 (Incident Response Plan) — update IR plan to include DPRK crypto theft and Scattered Spider identity attack playbook branches
CIS 7.1 (Establish and Maintain a Vulnerability Management Process) — integrate ATT&CK TTP mapping into vuln management prioritization to surface T1195.002 supply chain exposure
Compensating Control
Deploy Sigma rules (free, community-maintained) for each mapped technique: use 'sigma/rules/cloud/azure/azure_ad_mfa_fatigue.yml' for T1621 MFA push fatigue detection against Entra ID logs; use 'sigma/rules/windows/process_creation/proc_creation_win_browsers_credential_dump.yml' variants for T1539 cookie theft via browser process injection. Convert Sigma to native query format with 'sigma convert -t splunk' or 'sigma convert -t elasticsearch'. For T1550.001 Pass-the-Cookie, implement conditional access policy in M365 requiring compliant device claim on all session tokens — this is free within M365 E3/E5 licensing. Map coverage gaps manually in a spreadsheet using MITRE ATT&CK Navigator (free web tool at attack.mitre.org/resources/attack-navigator/) exported as JSON layer.
Preserve Evidence
Preserve before threat model update: current SIEM/log query outputs showing which of T1621, T1550.001, T1539, T1195.002 generate zero alerts in the last 90 days — these gaps are forensic evidence of pre-existing blind spots; M365 Conditional Access policy export (Get-MgIdentityConditionalAccessPolicy | ConvertTo-Json) as baseline snapshot; current EDR exclusion lists from all endpoints touching crypto wallets or trading APIs — Lazarus tooling frequently exploits AV/EDR exclusion paths to maintain persistence.
4
Step 4: Audit insider threat and hiring controls, validate remote employee identity verification processes against FAMOUS CHOLLIMA's documented tactic of placing operatives inside financial firms; review contractor and vendor onboarding identity assurance procedures
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection & Analysis: Identify indicators of insider placement via behavioral anomaly analysis aligned to DE.CM-03 (monitor personnel activity and technology usage for anomalous patterns)
NIST IR-4 (Incident Handling) — extend incident handling scope to include insider threat as a distinct incident category with FAMOUS CHOLLIMA operative placement as a named scenario
NIST AU-6 (Audit Record Review, Analysis, and Reporting) — conduct structured review of remote employee activity logs for FAMOUS CHOLLIMA behavioral indicators: anomalous git commit patterns, code exfiltration to personal repos, VPN geolocation inconsistencies
NIST PS-3 (Personnel Screening) — validate that background checks for remote hires include live video identity verification against government-issued ID, not just document submission
CIS 5.1 (Establish and Maintain an Inventory of Accounts) — enumerate all remote contractor and vendor accounts; identify accounts with access to source code repositories, financial transaction systems, or crypto key management
Compensating Control
For behavioral detection without a UEBA platform: query M365 Audit Logs for remote employees exhibiting FAMOUS CHOLLIMA indicators — 'Search-UnifiedAuditLog -Operations FileDownloaded,FileCopied -ResultSize 1000' filtered on users with >500 file downloads in 24 hours; for git-based exfiltration, enable GitHub/GitLab audit log streaming and alert on 'git clone' or 'git archive' operations outside business hours from new IP ranges. For identity verification of existing remote employees, implement a surprise live video check policy requiring government ID alongside face match — free to operationalize with existing video conferencing tools. Cross-reference employee-provided addresses against OFAC SDN list using free OFAC sanctions search API for contractor onboarding.
Preserve Evidence
Preserve before any HR or access actions: M365 Unified Audit Log entries for the target employee accounts covering 90 days of FileAccessed, FileDownloaded, and SensitiveFileAccessed operations; git repository audit logs showing commit authorship email addresses (FAMOUS CHOLLIMA operatives have been documented using multiple persona emails on single accounts); VPN connection logs showing geolocation of remote employee connections — IP addresses resolving to China, Russia, or DPRK proxy infrastructure are documented FAMOUS CHOLLIMA indicators; employee-submitted identity documents and video interview recordings if available — preserve as potential evidence chain for law enforcement referral.
5
Step 5: Communicate findings, brief leadership on the 43% increase in hands-on intrusions and $2.02 billion in sector-wide DPRK crypto theft as evidence that adversary tempo now exceeds reactive defense cycles; present specific gaps in identity and supply chain controls as the prioritized investment case
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity: Lessons learned communication and investment prioritization to update policies and improve detection capability, mapped to CSF [GV, ID] governance functions
NIST IR-6 (Incident Reporting) — establish reporting cadence to leadership that includes sector-level threat intelligence alongside organization-specific gap findings
NIST IR-8 (Incident Response Plan) — use gap findings to formally update IR plan investment priorities and resource allocation, specifically for identity and supply chain controls
NIST RA-3 (Risk Assessment) — present quantified risk: $2.02B sector theft and 43% intrusion increase translates to specific residual risk exposure for leadership to approve or accept
CIS 7.2 (Establish and Maintain a Remediation Process) — formalize risk-based remediation prioritization with identity gaps (MFA bypass, session hijacking) and supply chain gaps (CWE-494, CWE-426) ranked by FAMOUS CHOLLIMA and Lazarus Group exploitation likelihood
Compensating Control
For teams without a formal GRC platform: produce a one-page executive risk brief using the NIST CSF 2.0 Organizational Profile format (free template at nist.gov/cyberframework) — map each identity and supply chain gap to a CSF Function/Category with current vs. target maturity. Quantify investment case using FS-ISAC's published average cost of a financial sector breach rather than proprietary data. Share brief via encrypted email with audit trail — do not distribute sector intelligence data (CrowdStrike report findings) via unencrypted channels.
Preserve Evidence
Compile before leadership brief: output of M365 app audit from Step 1, MFA enrollment gap report from Step 2, and ATT&CK coverage gap layer from Step 3 as appendices — these are your organization-specific evidence that sector-level threat is locally relevant; document any open audit findings from prior assessments that overlap with Lazarus/Scattered Spider TTPs as evidence of known-unmitigated risk; retain all evidence artifacts in tamper-evident storage (write-once log archive or hashed ZIP with documented chain of custody) per NIST AU-9 (Protection of Audit Information) in case findings later support regulatory disclosure.
6
Step 6: Monitor developments, track CrowdStrike's published IOC releases for this report (https://www.crowdstrike.com/en-us/blog/crowdstrike-2026-financial-services-threat-landscape-report/), CISA advisories referencing DPRK financial sector operations, FinCEN enforcement actions (https://www.fincen.gov/enforcement-history), and OFAC sanctions (https://ofac.treasury.gov/specially-designated-nationals-list) related to DPRK cryptocurrency theft; watch for Scattered Spider indictment follow-on disclosures affecting named financial targets
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity: Continuous intelligence integration to update detection and share findings, aligned to DE.AE-07 (integrate CTI into adverse event analysis) and RS.MA-01 (coordinate IR with relevant third parties)
NIST SI-5 (Security Alerts, Advisories, and Directives) — establish formal process to receive and act on CISA DPRK advisories (AA24-038A series) and FinCEN/OFAC DPRK cryptocurrency enforcement notices within defined SLA
NIST AU-6 (Audit Record Review, Analysis, and Reporting) — integrate newly published Lazarus Group and Scattered Spider IOCs into log review queries within 24 hours of CISA advisory publication
NIST IR-5 (Incident Monitoring) — track and document sector-wide incident disclosures from Scattered Spider indictment proceedings as external incident intelligence informing your own monitoring posture
CIS 7.1 (Establish and Maintain a Vulnerability Management Process) — incorporate IOC feeds from CrowdStrike, CISA, and FS-ISAC into vulnerability and threat management process as standing input sources
Compensating Control
Subscribe to CISA's free email alerts at cisa.gov/news-events/cybersecurity-advisories filtered for 'North Korea' and 'financial sector' keywords. Ingest CrowdStrike published IOCs (when released) into MISP (free open-source threat intelligence platform) and auto-export to Sigma rules or Suricata rules for network-layer detection. Monitor OFAC SDN list updates via free RSS feed or OFAC API for newly sanctioned DPRK-linked cryptocurrency addresses — block these at firewall/crypto gateway within 24 hours of addition per OFAC compliance obligation. Set Google Alerts for 'Scattered Spider indictment' and 'DPRK cryptocurrency financial' for passive intelligence collection at zero cost.
Preserve Evidence
Establish and preserve ongoing evidence collection: retain all CISA advisories and IOC feeds as dated, archived PDFs with hash verification (sha256sum) to establish compliance audit trail for regulatory examiners; maintain a rolling 90-day Suricata/Zeek PCAP index on perimeter traffic filtered for known Lazarus C2 IP ranges published in CISA advisories — this constitutes forensic evidence if a compromise is later confirmed; document all OFAC-sanctioned DPRK cryptocurrency addresses blocked at your gateway with timestamps — FinCEN examination may require evidence of sanctions compliance monitoring as a regulatory obligation for covered financial institutions.
Recovery Guidance
Post-containment, rotate all M365 service principal credentials and OAuth refresh tokens (not just access tokens) before restoring normal operations, as Lazarus Group is documented maintaining persistent access via refresh token abuse even after initial credential rotation. For any crypto custody or trading platform accounts, assume session cookies are compromised and force full re-authentication with phishing-resistant MFA for all users — do not rely on existing session state. Monitor M365 Sign-in Logs and crypto platform transaction logs continuously for 30 days post-recovery, specifically watching for ServicePrincipalSignIns from previously unseen ASNs and any transaction authorization requests initiated outside normal business hours, which is a documented Lazarus Group operational pattern.
Key Forensic Artifacts
M365 Unified Audit Log — 'Add OAuth2PermissionGrant' and 'Consent to application' events correlating to Lazarus Group T1550.001 (Pass the Cookie) and T1539 (Steal Web Session Cookie) via malicious OAuth app registration; retain minimum 90 days per FinCEN BSA requirements
EntraID Non-Interactive Sign-in Logs — ServicePrincipalSignIns with resource='Microsoft Graph' and clientAppUsed='Other clients' from anomalous ASNs; these are left by automated Lazarus tooling using stolen OAuth tokens after initial session hijacking
Sysmon Event ID 10 (Process Access) logs on endpoints running crypto wallet software or trading platform clients — Lazarus Group implants inject into browser processes (chrome.exe, firefox.exe) specifically to steal session cookies via ReadProcessMemory; filter on GrantedAccess=0x1010 targeting browser PIDs
Git repository audit logs (GitHub Enterprise, GitLab, Bitbucket) showing 'git archive', 'git clone --mirror', or large blob downloads outside business hours by accounts matching FAMOUS CHOLLIMA insider placement profile — specifically accounts with mismatched timezone activity vs. declared work location
Cryptocurrency gateway transaction logs and blockchain mempool monitoring exports for outbound transfers to addresses matching OFAC SDN list entries or CrowdStrike/Chainalysis published Lazarus Group wallet clusters — these constitute mandatory SAR evidence if DPRK nexus is confirmed
Detection Guidance
Detection priorities for this threat landscape fall into four categories, ordered by observed adversary prevalence.
**Identity and Authentication Anomalies:** Hunt for MFA push fatigue patterns, repeated authentication requests to the same user within short windows (T1621 ).
Flag out-of-hours logins from new geographic locations or ASNs not associated with the user's baseline.
Monitor for session token reuse from IP addresses inconsistent with the authentication origin (T1550.001 , T1539 ).
In Microsoft 365 environments, audit OAuth application consent grants, service principal activity, and mailbox delegation changes - Scattered Spider frequently abuses these post-access.
**Help Desk and Identity Verification:** Review call logs and ticket records for password reset and MFA re-enrollment requests that were approved without secondary identity verification. Scattered Spider's initial access frequently routes through help desk social engineering; detection requires process audit, not just log review.
**Supply Chain and Execution Integrity:** Alert on unsigned or newly appearing executables in financial application directories (CWE-494, T1574.001 ). Monitor for DLL search order hijacking indicators, unexpected DLLs loaded from user-writable paths by privileged processes (T1574.001 , CWE-426). Flag software update processes that retrieve payloads over unencrypted channels or from domains registered within the last 90 days.
**Insider Threat Indicators:** For remote employees, establish behavioral baselines, working hours, systems accessed, data volumes transferred. Alert on access to systems outside job function, large internal data transfers, or attempts to enumerate financial transaction databases without a support ticket. FAMOUS CHOLLIMA operatives tend to access high-value data quickly after onboarding.
**Log Sources to Prioritize:** Azure AD / Entra ID sign-in logs and audit logs; endpoint telemetry for process creation chains involving scripting engines (PowerShell, cmd.exe) launched by financial application parent processes; network logs for C2 beaconing patterns (T1071 ), particularly HTTPS to low-reputation domains with high beacon regularity; email gateway logs for spearphishing delivery (T1566 ) targeting finance and treasury staff.
**Specific IOCs:** CrowdStrike's published report contains C2 infrastructure indicators, payload hashes, and tool signatures associated with these campaigns. Security teams should retrieve these directly from the CrowdStrike 2026 Financial Services Threat Landscape Report blog post (https://www.crowdstrike.com/en-us/blog/crowdstrike-2026-financial-services-threat-landscape-report/). Note: Additional IOC feeds may be available through the CrowdStrike Adversary Intelligence portal, which may require subscription. Validate IOC recency before operational use.
Indicators of Compromise (1)
Export as
Splunk SPL
KQL
Elastic
Copy All (1)
1 tool
Type Value Enrichment Context Conf.
⚙ TOOL
Pending — refer to CrowdStrike 2026 Financial Services Threat Landscape Report for published indicators
C2 infrastructure indicators, payload hashes, and tool signatures associated with Lazarus Group, FAMOUS CHOLLIMA, and Scattered Spider campaigns are documented in the CrowdStrike report and Adversary Intelligence portal; specific values were not included in the summary data provided for this analysis
LOW
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (1)
Known attack tool — NOT a legitimate system binary. Any execution is suspicious.
KQL Query Preview
Read-only — detection query only
// Threat: Financial Services Under Siege: DPRK Crypto Heists, China Espionage, and eCrime
// Attack tool: Pending — refer to CrowdStrike 2026 Financial Services Threat Landscape Report for published indicators
// Context: C2 infrastructure indicators, payload hashes, and tool signatures associated with Lazarus Group, FAMOUS CHOLLIMA, and Scattered Spider campaigns are documented in the CrowdStrike report and Adversary
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName =~ "Pending — refer to CrowdStrike 2026 Financial Services Threat Landscape Report for published indicators"
or ProcessCommandLine has "Pending — refer to CrowdStrike 2026 Financial Services Threat Landscape Report for published indicators"
or InitiatingProcessCommandLine has "Pending — refer to CrowdStrike 2026 Financial Services Threat Landscape Report for published indicators"
| project Timestamp, DeviceName, FileName, FolderPath,
ProcessCommandLine, AccountName, AccountDomain,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (7)
Sentinel rule: Phishing email delivery
KQL Query Preview
Read-only — detection query only
EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has "Phish" or DetectionMethods has "Phish"
| summarize Attachments = make_set(AttachmentCount), Urls = make_set(UrlCount) by NetworkMessageId, Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, ThreatTypes
| sort by Timestamp desc
Sentinel rule: Unusual C2 communication patterns
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (80, 443, 8080, 8443)
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "teams.exe", "outlook.exe", "svchost.exe")
| summarize Connections = count() by DeviceName, RemoteIP, InitiatingProcessFileName
| where Connections > 50
| sort by Connections desc
Sentinel rule: Lateral movement via RDP / SMB / WinRM
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (3389, 5985, 5986, 445, 135)
| where LocalIP != RemoteIP
| summarize ConnectionCount = count(), TargetDevices = dcount(RemoteIP) by DeviceName, InitiatingProcessFileName
| where ConnectionCount > 10 or TargetDevices > 3
| sort by TargetDevices desc
Sentinel rule: Web application exploit patterns
KQL Query Preview
Read-only — detection query only
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where DeviceVendor has_any ("PaloAlto", "Fortinet", "F5", "Citrix")
| where Activity has_any ("attack", "exploit", "injection", "traversal", "overflow")
or RequestURL has_any ("../", "..\\\\", "<script", "UNION SELECT", "\${jndi:")
| project TimeGenerated, DeviceVendor, SourceIP, DestinationIP, RequestURL, Activity, LogSeverity
| sort by TimeGenerated desc
Sentinel rule: Sign-ins from unusual locations
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| summarize Locations = make_set(Location), LoginCount = count(), DistinctIPs = dcount(IPAddress) by UserPrincipalName
| where array_length(Locations) > 3 or DistinctIPs > 5
| sort by DistinctIPs desc
Sentinel rule: Ransomware activity
KQL Query Preview
Read-only — detection query only
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType == "FileRenamed"
| where FileName endswith_any (".encrypted", ".locked", ".crypto", ".crypt", ".enc", ".ransom")
| summarize RenamedFiles = count() by DeviceName, InitiatingProcessFileName, bin(Timestamp, 5m)
| where RenamedFiles > 20
| sort by RenamedFiles desc
Sentinel rule: Security tool tampering
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any (
"Set-MpPreference", "DisableRealtimeMonitoring",
"net stop", "sc stop", "sc delete", "taskkill /f",
"Add-MpPreference -ExclusionPath"
)
| where ProcessCommandLine has_any ("defender", "sense", "security", "antivirus", "firewall", "crowdstrike", "sentinel")
| project Timestamp, DeviceName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
No actionable IOCs for CrowdStrike import (benign/contextual indicators excluded).
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1566
T1195
T1071
T1021.001
T1190
T1133
+11
AT-2
CA-7
SC-7
SI-3
SI-4
SI-8
+21
6.3
6.4
6.5
2.5
2.6
14.2
+1
164.312(d)
164.308(a)(7)(ii)(A)
MITRE ATT&CK Mapping
T1566
Phishing
initial-access
T1195
Supply Chain Compromise
initial-access
T1071
Application Layer Protocol
command-and-control
T1021.001
Remote Desktop Protocol
lateral-movement
T1190
Exploit Public-Facing Application
initial-access
T1133
External Remote Services
persistence
T1550.001
Application Access Token
defense-evasion
T1195.002
Compromise Software Supply Chain
initial-access
T1560
Archive Collected Data
collection
T1078
Valid Accounts
defense-evasion
T1486
Data Encrypted for Impact
impact
T1539
Steal Web Session Cookie
credential-access
T1562
Impair Defenses
defense-evasion
T1621
Multi-Factor Authentication Request Generation
credential-access
T1586
Compromise Accounts
resource-development
T1657
Financial Theft
impact
Guidance Disclaimer
