Infostealer Campaign Using Trading App as Lure
A sophisticated infostealer campaign masquerades as a cryptocurrency trading app named Tralert FX. It uses a malicious MSI installer signed with a valid EV code signing certificate from a likely front company, AgilusTech LLC, to evade detection. Active since June 2025, the malware kit includes system reconnaissance, keylogging, and browser credential theft modules. Stolen data is exfiltrated via automated commits to GitLab repositories every 30 minutes. Hardcoded credentials exposed the backend infrastructure, revealing thousands of commits and numerous compromised hosts. The operation targets cryptocurrency traders for financial gain and is attributed to the Kimsuky adversary group. The final payload is MoonPeak, a custom variant of XenoRAT. No patch or official remediation is indicated in the data. The campaign is assessed as medium severity based on available information.
AI Analysis
Technical Summary
This threat involves a multi-module infostealer malware campaign using a fake cryptocurrency trading application called Tralert FX as a lure. The malware installer is signed with a valid EV certificate from AgilusTech LLC, allowing it to bypass most antivirus detections. The campaign has been active since June 2025 and includes modules for system reconnaissance, keylogging, and browser credential theft. Data exfiltration occurs through automated git commits to five GitLab repositories every 30 minutes. Hardcoded credentials in the malware infrastructure have exposed over 4,100 commits and more than 90 compromised hosts, indicating ongoing victim compromise. The campaign is financially motivated, focusing on cryptocurrency traders to facilitate account takeover. The final payload is MoonPeak, a custom variant of the XenoRAT remote access trojan. The threat actor is linked to the Kimsuky group, operating via ProtonMail-linked GitLab accounts. No official patch or remediation guidance is provided.
Potential Impact
The campaign enables attackers to steal sensitive information including system data, keystrokes, and browser-stored credentials from victims, primarily cryptocurrency traders. This can lead to account takeover and financial loss. The use of a valid EV code signing certificate reduces detection rates, increasing the likelihood of successful infection. The exposure of backend infrastructure credentials indicates a significant operational security failure, potentially allowing further compromise and persistence. The ongoing nature of the campaign and the scale of compromised hosts suggest a sustained threat with financial motivations.
Mitigation Recommendations
No official patch or remediation is indicated in the available data. Security teams should be aware of the malicious domains and file hashes associated with this campaign to detect and block related activity. Due to the use of a valid EV code signing certificate, reliance solely on signature-based detection may be insufficient. Monitoring for suspicious MSI installers masquerading as legitimate trading apps and restricting installation of unverified software is recommended. Review and secure GitLab repositories and credentials to prevent data exfiltration. Follow vendor advisories if they become available for updated remediation guidance.
Indicators of Compromise
- domain: tralert.online
- domain: tralert7.com
- domain: talert.online
- domain: endava.online
- hash: f10d35fedb6aa986cef4c113edfdef26
- hash: ed02996ba97457166406d1d3230ef177fec67913
- hash: 384255ba8bea8997dce5a6a9c4b4352279343000821128342e6960dbcc14bbe0
- hash: 3c356065e32ac8cbc6ec330581c7c343bf2d5567695f3a015a0ae95908a7ed6b
- hash: 528b004407d32bbc6299540a7a9fd98a3037070d34b56f14813aaaa29820b13d
- hash: eaba341f94e700ff470e7a8fb3fe596f601ff54a8415103fa102520ec4bbd5e9
- domain: talert.site
- domain: talert.space
- domain: talert.store
- domain: tralert.site
- domain: tralert.store
- domain: trumpalert.store
- domain: why-db-sometimes-fails.md
Infostealer Campaign Using Trading App as Lure
Description
A sophisticated infostealer campaign masquerades as a cryptocurrency trading app named Tralert FX. It uses a malicious MSI installer signed with a valid EV code signing certificate from a likely front company, AgilusTech LLC, to evade detection. Active since June 2025, the malware kit includes system reconnaissance, keylogging, and browser credential theft modules. Stolen data is exfiltrated via automated commits to GitLab repositories every 30 minutes. Hardcoded credentials exposed the backend infrastructure, revealing thousands of commits and numerous compromised hosts. The operation targets cryptocurrency traders for financial gain and is attributed to the Kimsuky adversary group. The final payload is MoonPeak, a custom variant of XenoRAT. No patch or official remediation is indicated in the data. The campaign is assessed as medium severity based on available information.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a multi-module infostealer malware campaign using a fake cryptocurrency trading application called Tralert FX as a lure. The malware installer is signed with a valid EV certificate from AgilusTech LLC, allowing it to bypass most antivirus detections. The campaign has been active since June 2025 and includes modules for system reconnaissance, keylogging, and browser credential theft. Data exfiltration occurs through automated git commits to five GitLab repositories every 30 minutes. Hardcoded credentials in the malware infrastructure have exposed over 4,100 commits and more than 90 compromised hosts, indicating ongoing victim compromise. The campaign is financially motivated, focusing on cryptocurrency traders to facilitate account takeover. The final payload is MoonPeak, a custom variant of the XenoRAT remote access trojan. The threat actor is linked to the Kimsuky group, operating via ProtonMail-linked GitLab accounts. No official patch or remediation guidance is provided.
Potential Impact
The campaign enables attackers to steal sensitive information including system data, keystrokes, and browser-stored credentials from victims, primarily cryptocurrency traders. This can lead to account takeover and financial loss. The use of a valid EV code signing certificate reduces detection rates, increasing the likelihood of successful infection. The exposure of backend infrastructure credentials indicates a significant operational security failure, potentially allowing further compromise and persistence. The ongoing nature of the campaign and the scale of compromised hosts suggest a sustained threat with financial motivations.
Mitigation Recommendations
No official patch or remediation is indicated in the available data. Security teams should be aware of the malicious domains and file hashes associated with this campaign to detect and block related activity. Due to the use of a valid EV code signing certificate, reliance solely on signature-based detection may be insufficient. Monitoring for suspicious MSI installers masquerading as legitimate trading apps and restricting installation of unverified software is recommended. Review and secure GitLab repositories and credentials to prevent data exfiltration. Follow vendor advisories if they become available for updated remediation guidance.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://hybrid-analysis.blogspot.com/2026/05/velvet-chollima-infostealer-campaign.html?m=1"]
- Adversary
- Kimsuky
- Pulse Id
- 6a0d9718bf383fbc0b89ec6c
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domaintralert.online | — | |
domaintralert7.com | — | |
domaintalert.online | — | |
domainendava.online | — | |
domaintalert.site | — | |
domaintalert.space | — | |
domaintalert.store | — | |
domaintralert.site | — | |
domaintralert.store | — | |
domaintrumpalert.store | — | |
domainwhy-db-sometimes-fails.md | — |
Hash
| Value | Description | Copy |
|---|---|---|
hashf10d35fedb6aa986cef4c113edfdef26 | — | |
hashed02996ba97457166406d1d3230ef177fec67913 | — | |
hash384255ba8bea8997dce5a6a9c4b4352279343000821128342e6960dbcc14bbe0 | — | |
hash3c356065e32ac8cbc6ec330581c7c343bf2d5567695f3a015a0ae95908a7ed6b | — | |
hash528b004407d32bbc6299540a7a9fd98a3037070d34b56f14813aaaa29820b13d | — | |
hasheaba341f94e700ff470e7a8fb3fe596f601ff54a8415103fa102520ec4bbd5e9 | — |
Threat ID: 6a0f2f76e1370fbb48f13303
Added to database: 5/21/2026, 4:14:46 PM
Last enriched: 5/21/2026, 4:30:03 PM
Last updated: 5/21/2026, 5:23:33 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.