CrowdStrike's OverWatch threat hunting team recently uncovered a sophisticated intrusion by the North Korean threat actor group SILENT CHOLLIMA, targeting a pharmaceutical organization. The adversary utilized the Smbexec tool for covert execution and employed a variety of custom tools, including the information stealer GifStealer and the remote access tool Valefor, to conduct reconnaissance and data collection. Despite the absence of CrowdStrike Falcon sensors on some hosts, OverWatch quickly collaborated with the victim organization to expand sensor coverage and successfully identify additional compromised hosts. This proactive threat hunting and rapid deployment of Falcon sensors were crucial in containing and removing the threat actor from the network. OverWatch emphasized the importance of comprehensive endpoint protection and recommended monitoring service account activity, service creation events, and remote user connections to prevent similar intrusions.