Author(s): Vlad Pasca, Radu-Emanuel Chiscariu Executive Summary A fake cryptocurrency trading app, Tralert FX, was used to distribute a multi-module infostealer with only 3/52 AV detections, enabled by a valid EV code signing certificate from likely front company AgilusTech LLC. The MSI installer contained hardcoded SSH credentials and GitLab tokens, exposing the threat actor's entire backend infrastructure. The operation uses five GitLab repositories as both payload delivery and automated data exfiltration channels. A three-module malware kit (system recon, keylogger, browser stealer) pushes stolen data via automated git commits on a 30-minute cycle. Active since June 2025, with 4,100+ commits, 90+ compromised hosts, and victims still being actively compromised at time of discovery. The threat actor manually triages victims into named folders, prioritizing cryptocurrency traders for account takeover. Three ProtonMail-linked GitLab personas operate the infrastructure, assessed as a single operator or small team with financial motivation consistent with DPRK-nexus adversary VELVET CHOLLIMA . The final payload is MoonPeak, a custom variant of the open-source XenoRAT malware. Hybrid Analysis has identified a low-detection malicious installer masquerading as a legitimate cryptocurrency trading application called Tralert FX. The sample, a 100 MB Windows MSI submitted to VirusTotal in March 2026, achieved only a 3/52 detection rate. This low detection rate was largely due to a valid EV code signing certificate issued to a likely front company, AgilusTech LLC. What initially appeared to be a routine low-confidence detection quickly escalated into the exposure of a sophisticated, long-running, multi-stage infostealer campaign with infrastructure spanning five GitLab repositories, a dedicated C2 server, and a network of cryptocurrency trading lure domains. A Deeper Dive Static analysis of the MSI revealed a critical operational security failure: live production credentials hardcoded directly into the distributed payload and multiple GitLab Personal Access Tokens tied to active infrastructure. This single failure gave researchers full visibility into an operation running continuously since June 2025, originally hosted on GitHub before a deliberate pivot to GitLab in October 2025. The campaign operates through a modular, multi-stage loader architecture. Obfuscated PowerShell loaders hosted on GitLab beacon to a dedicated C2 endpoint, establish Windows Scheduled Task persistence under innocuous-sounding names ( TimeZoneRegister , AutoTimeZoneMachine ), and silently fetch second-stage payloads via authenticated GitLab API calls. A fake RTF document that’s actually a GZIP file with a modified header can be also extracted from the initial MSI file. A fourth payload repository ( adswem-group/adswem-project ) referenced in loader code but not captured during analysis, indicates the infrastructure footprint may extend beyond what is currently mapped. Stolen data from three functional malware modules (system reconnaissance, keylogging, and browser credential theft) is exfiltrated via automated git commits on a strict 30-minute schedule. This approach intentionally exploits the inherent trust associated with GitLab's infrastructure, blending malicious traffic with normal developer activity to evade perimeter controls and avoid takedown. At the time of discovery, the primary exfiltration repository contained over 4,100 commits and evidence of 90+ compromised hosts. The threat actor actively triages incoming data into named and numbered victim folders, a behavior confirming human-in-the-loop oversight and deliberate prioritization of high-value targets. For example, at least one victim (a German-speaking cryptocurrency trader managing live XRP/USDT futures positions), had cleartext trading credentials captured via keylogger. Three ProtonMail-linked GitLab personas operate distinct segments of the infrastructure, each following an identical repeated-syllable naming convention. Analysis of commit timing, shared C2 infrastructure, cross-referencing of tokens between repositories, and 11 unique GLPATs rotated across the campaign's lifetime all point to a single operator running a financially motivated operation with targeting profile and tradecraft consistent with DPRK cybercrime objectives. As we can see in Figure 1, the initial file can be MSI or APPX: Figure 1 - build-config.js The malware sends the OS platform and architecture to the “ api/textcontent ” URI on the C2 server (Figure 2). Figure 2 - clientlog.js The code that is used to set up the database suggests that it may have been developed using LLMs: Figure 3 - setup-database.js Figure 4 shows that the script tries to download a PowerShell script called “ gz ” from the “ wkekek2-group/wkekek2-project ” repository. Figure 4 - clientlog(gitlab).js The scheduled task called “ TimeZoneRegister ” is used to run another PowerShell script. The private token is hard-coded in the la...