A sophisticated infostealer operation was discovered masquerading as a cryptocurrency trading application called Tralert FX. The malicious MSI installer achieved only 3/52 AV detections by using a valid EV code signing certificate from a likely front company, AgilusTech LLC. The campaign has been active since June 2025, utilizing a three-module malware kit that includes system reconnaissance, keylogging, and browser credential theft capabilities. Stolen data is exfiltrated through five GitLab repositories via automated git commits on 30-minute cycles. Hardcoded credentials exposed the entire backend infrastructure, revealing over 4,100 commits, 90+ compromised hosts, and ongoing victim compromise. The operation demonstrates clear financial motivation with focus on cryptocurrency traders for account takeover. Three ProtonMail-linked GitLab accounts operate the infrastructure, assessed as a single operator or small team. The final payload is MoonPeak, a custom variant of XenoRAT.