The group's primary motivations have historically revolved around strategic espionage to support North Korea's military and nuclear programs. This includes stealing technical, military, and industrial intellectual property. More recently, their tactics have expanded to include large-scale extortion and ransomware campaigns, likely to generate revenue and fund further operations.

To achieve their goals, Silent Chollima operators utilize a range of techniques to gain and maintain access to target networks.

• Initial Access: They frequently use spear-phishing emails containing malicious attachments (like LNK, HTA, or weaponized Office documents). They are also known for conducting watering-hole attacks and exploiting internet-facing services, such as web servers, using both zero-day and N-day vulnerabilities like the Log4Shell family and TeamCity CVE-2023-42793.

• Persistence and Lateral Movement: Once inside a network, the group uses scheduled tasks, abuses Remote Monitoring and Management (RMM) tools, and deploys custom backdoors to maintain persistence. For lateral movement, they rely on credential dumping with tools like Mimikatz and create proxies or tunnels using open-source software like Ngrok and Chisel.

Silent Chollima's procedures often involve a mix of custom and publicly available tools.

• Web Shells: After exploiting a web server, they commonly deploy web shells to ensure persistent access and facilitate further commands.

• Custom Malware: The group uses a distinct arsenal of custom malware, including backdoors and RATs like Dtrack (Preft), Dora RAT, and TigerRAT.

• Commodity Tools: They supplement their custom tools with open-source and commodity software like Sliver, masscan, and PuTTY/Plink to carry out their attacks.

• Extortion: In ransomware campaigns, they exfiltrate large volumes of sensitive data before deploying encryption malware, then use the threat of public data leaks to extort victims.