VELVET CHOLLIMA Infostealer Campaign Using Trading App as Lure
Contents
Author(s): Vlad Pasca, Radu-Emanuel Chiscariu
Executive Summary
A fake cryptocurrency trading app, Tralert FX, was used to distribute a multi-module infostealer with only 3/52 AV detections, enabled by a valid EV code signing certificate from likely front company AgilusTech LLC.
The MSI installer contained hardcoded SSH credentials and GitLab tokens, exposing the threat actor's entire backend infrastructure.
The operation uses five GitLab repositories as both payload delivery and automated data exfiltration channels.
A three-module malware kit (system recon, keylogger, browser stealer) pushes stolen data via automated git commits on a 30-minute cycle.
Active since June 2025, with 4,100+ commits, 90+ compromised hosts, and victims still being actively compromised at time of discovery.
The threat actor manually triages victims into named folders, prioritizing cryptocurrency traders for account takeover.
Three ProtonMail-linked GitLab personas operate the infrastructure, assessed as a single operator or small team with financial motivation consistent with DPRK-nexus adversary VELVET CHOLLIMA.
The final payload is MoonPeak, a custom variant …
Executive Summary
A fake cryptocurrency trading app, Tralert FX, was used to distribute a multi-module infostealer with only 3/52 AV detections, enabled by a valid EV code signing certificate from likely front company AgilusTech LLC.
The MSI installer contained hardcoded SSH credentials and GitLab tokens, exposing the threat actor's entire backend infrastructure.
The operation uses five GitLab repositories as both payload delivery and automated data exfiltration channels.
A three-module malware kit (system recon, keylogger, browser stealer) pushes stolen data via automated git commits on a 30-minute cycle.
Active since June 2025, with 4,100+ commits, 90+ compromised hosts, and victims still being actively compromised at time of discovery.
The threat actor manually triages victims into named folders, prioritizing cryptocurrency traders for account takeover.
Three ProtonMail-linked GitLab personas operate the infrastructure, assessed as a single operator or small team with financial motivation consistent with DPRK-nexus adversary VELVET CHOLLIMA.
The final payload is MoonPeak, a custom variant …
IoC
http://Tralert.site
http://Talert.site
http://Talert.store
http://91.107.246.107
http://github.com/vergiegpham/ADS_Analitics
http://161.97.113.34:3001/api/textcontent
http://Talert.online
http://Trumpalert.store
http://endava.online
http://Talert.space
http://github.com/Fujinuma0804/Tralert
http://161.97.113.34
http://Tralert.store
http://Tralert7.com
http://Tralert.online
91.107.246.107
161.97.113.34
[email protected]
[email protected]
[email protected]
[email protected]
384255ba8bea8997dce5a6a9c4b4352279343000821128342e6960dbcc14bbe0
3c356065e32ac8cbc6ec330581c7c343bf2d5567695f3a015a0ae95908a7ed6b
eaba341f94e700ff470e7a8fb3fe596f601ff54a8415103fa102520ec4bbd5e9
528b004407d32bbc6299540a7a9fd98a3037070d34b56f14813aaaa29820b13d
http://Talert.site
http://Talert.store
http://91.107.246.107
http://github.com/vergiegpham/ADS_Analitics
http://161.97.113.34:3001/api/textcontent
http://Talert.online
http://Trumpalert.store
http://endava.online
http://Talert.space
http://github.com/Fujinuma0804/Tralert
http://161.97.113.34
http://Tralert.store
http://Tralert7.com
http://Tralert.online
91.107.246.107
161.97.113.34
[email protected]
[email protected]
[email protected]
[email protected]
384255ba8bea8997dce5a6a9c4b4352279343000821128342e6960dbcc14bbe0
3c356065e32ac8cbc6ec330581c7c343bf2d5567695f3a015a0ae95908a7ed6b
eaba341f94e700ff470e7a8fb3fe596f601ff54a8415103fa102520ec4bbd5e9
528b004407d32bbc6299540a7a9fd98a3037070d34b56f14813aaaa29820b13d