← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
VELVET CHOLLIMA Infostealer Campaign Using Trading App as Lure
WHITE VELVET CHOLLIMA PetrP.73 2026-05-15 Modified: 2026-05-15
21
IOCs
MEDIUM VOLUME
The recent infostealer campaign attributed to the DPRK-nexus actor known as VELVET CHOLLIMA employs a fake cryptocurrency trading application called Tralert FX. This malware distribution method includes an MSI installer that integrates a multi-module infostealer with a notably low AV detection rate of only 3 out of 52. The campaign highlights the use of valid EV code signing certificates from a potentially front company, AgilusTech LLC, to enhance the malware’s legitimacy and evade detection.
gitlabev codegithubfiguretralert fxoctobergzip filejunegitlab personasmoonpeakvirustotalpowershellkeyloggerreconnaissanceandroidexfiltrationcaesarxenoratdprkbrowser credential
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (4 / 21 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 URL domain email
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 384255ba8bea8997dce5a6a9c4b4352279343000821128342e6960dbcc14bbe0 2026-05-15
FileHash-SHA256 3c356065e32ac8cbc6ec330581c7c343bf2d5567695f3a015a0ae95908a7ed6b 2026-05-15
FileHash-SHA256 528b004407d32bbc6299540a7a9fd98a3037070d34b56f14813aaaa29820b13d 2026-05-15
FileHash-SHA256 eaba341f94e700ff470e7a8fb3fe596f601ff54a8415103fa102520ec4bbd5e9 2026-05-15
References (1)
↗ https://hybrid-analysis.blogspot.com/2026/05/velvet-chollima-infostealer-campaign.html