{
  "name": "Infostealer Campaign Using Trading App as Lure",
  "slug": "infostealer-campaign-using-trading-app-as-lure",
  "description": "A sophisticated infostealer operation was discovered masquerading as a cryptocurrency trading application called Tralert FX. The malicious MSI installer achieved only 3/52 AV detections by using a valid EV code signing certificate from a likely front company, AgilusTech LLC. The campaign has been active since June 2025, utilizing a three-module malware kit that includes system reconnaissance, keylogging, and browser credential theft capabilities. Stolen data is exfiltrated through five GitLab repositories via automated git commits on 30-minute cycles. Hardcoded credentials exposed the entire backend infrastructure, revealing over 4,100 commits, 90+ compromised hosts, and ongoing victim compromise. The operation demonstrates clear financial motivation with focus on cryptocurrency traders for account takeover. Three ProtonMail-linked GitLab accounts operate the infrastructure, assessed as a single operator or small team. The final payload is MoonPeak, a custom variant of XenoRAT.",
  "published": "2026-05-20T09:12:24+00:00",
  "created_at": "2026-05-20T09:12:24+00:00",
  "modified_at": "2026-05-21T14:11:31+00:00",
  "created_at_opencti": "2026-05-20T09:12:24+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-05-20",
    "code-signing-abuse",
    "cryptocurrency",
    "dprk-nexus",
    "gitlab exfiltration",
    "infostealer",
    "moonpeak",
    "trading app lure",
    "xenorat"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "384255ba8bea8997dce5a6a9c4b4352279343000821128342e6960dbcc14bbe0"
      },
      {
        "id": "",
        "name": "528b004407d32bbc6299540a7a9fd98a3037070d34b56f14813aaaa29820b13d"
      },
      {
        "id": "",
        "name": "eaba341f94e700ff470e7a8fb3fe596f601ff54a8415103fa102520ec4bbd5e9"
      },
      {
        "id": "",
        "name": "3c356065e32ac8cbc6ec330581c7c343bf2d5567695f3a015a0ae95908a7ed6b"
      }
    ],
    "malware": [
      {
        "id": "9c08757d-bd59-45d1-8174-ac5b1ab454f2",
        "name": "XenoRAT",
        "slug": "xenorat"
      },
      {
        "id": "legacy:malware:02965b16e1243552",
        "name": "MoonPeak",
        "slug": "moonpeak"
      }
    ],
    "intrusion_sets": [
      {
        "id": "294d962a-b24e-446b-8e2d-3706cb1316b3",
        "name": "Kimsuky",
        "slug": "kimsuky"
      }
    ],
    "attack_patterns": [
      {
        "id": "32817170-4c07-427e-b8a5-80a733ae2550",
        "name": "T1497"
      },
      {
        "id": "cf746a02-00ea-419e-912d-7b03f969c491",
        "name": "T1518.001"
      },
      {
        "id": "93b2c4dd-5523-4464-8976-78754ee372fd",
        "name": "T1012"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048",
        "name": "T1555.003"
      },
      {
        "id": "3e753709-1776-42f4-b465-278cb5f6ea6b",
        "name": "T1614"
      },
      {
        "id": "667462db-9031-48eb-893a-05d35f9330a7",
        "name": "T1056.001"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb",
        "name": "T1132"
      },
      {
        "id": "61188dce-ace8-48b2-bda2-c846b920485c",
        "name": "T1567.001"
      },
      {
        "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5",
        "name": "T1053.005"
      },
      {
        "id": "50514c04-b3a2-4abf-a855-e3a434200c87",
        "name": "T1204"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "05ac27d4-58d0-44b2-a984-cd5aefd1f7f9",
        "name": "T1497.001"
      },
      {
        "id": "c22b5073-f426-4294-98bb-219d17345158",
        "name": "T1553.002"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Finance"
      },
      {
        "id": "",
        "name": "talert.store"
      },
      {
        "id": "",
        "name": "tralert.store"
      },
      {
        "id": "",
        "name": "talert.site"
      },
      {
        "id": "",
        "name": "tralert.online"
      },
      {
        "id": "",
        "name": "why-db-sometimes-fails.md"
      },
      {
        "id": "",
        "name": "talert.online"
      },
      {
        "id": "",
        "name": "trumpalert.store"
      },
      {
        "id": "",
        "name": "talert.space"
      },
      {
        "id": "",
        "name": "tralert7.com"
      },
      {
        "id": "",
        "name": "tralert.site"
      },
      {
        "id": "",
        "name": "endava.online"
      }
    ]
  },
  "external_refs": [
    "https://hybrid-analysis.blogspot.com/2026/05/velvet-chollima-infostealer-campaign.html?m=1",
    "https://otx.alienvault.com/pulse/6a0d9718bf383fbc0b89ec6c"
  ]
}