The recent infostealer campaign attributed to the DPRK-nexus actor known as VELVET CHOLLIMA employs a fake cryptocurrency trading application called Tralert FX. This malware distribution method includes an MSI installer that integrates a multi-module infostealer with a notably low AV detection rate of only 3 out of 52. The campaign highlights the use of valid EV code signing certificates from a potentially front company, AgilusTech LLC, to enhance the malware’s legitimacy and evade detection.