Velvet Chollima Leaves Backend Keys Inside Critical GitLab Dead-Drop Malware

A routine investigation into a low-detection installer has blown the doors off a highly organized, financially motivated cyber-espionage campaign. Orchestrated by a single operator or small team linked to the North Korean state-sponsored adversary VELVET CHOLLIMA, the operation has been silently draining credentials and monitoring victims for nearly a year.

The breakthrough came after an in-depth analysis of a weaponized 100 MB Windows MSI package masquerading as a cryptocurrency trading application called “Tralert FX”.

As researchers Vlad Pasca and Radu-Emanuel Chiscariu detail in their exhaustive technical analysis: “Static analysis of the MSI revealed a critical operational security failure: live production credentials hardcoded directly into the distributed payload and multiple GitLab Personal Access Tokens tied to active infrastructure.”

By leaving their backend keys inside the distributed software, the threat actors inadvertently handed security researchers complete, unredacted visibility into an infrastructure that had been active since June 2025.

To slip past modern endpoint detection and response (EDR) platforms, the threat actors went to great lengths to establish an initial facade of legitimacy. The “Tralert FX” installer achieved a 3/52 ultra-low detection rate on VirusTotal.

This stealth was achieved by abusing the global cryptographic trust architecture. The attackers successfully signed their malicious package with a valid Extended Validation (EV) code signing certificate. Telemetry indicates the certificate was issued to AgilusTech LLC , which the researchers assess “to be a front company or fraudulently registered entity created for the sole purpose of obtaining an EV code signing certificate.”

Once executed, the multi-stage loader drops a three-module malware kit encompassing comprehensive system reconnaissance, an API-based keylogger, and a browser data harvester.

Instead of routing data to a conventional, easily blocked Command-and-Control (C2) server, the malware completely changes the exfiltration playbook. It treats a series of private GitLab repositories as automated dead-drops. The infected host continuously packages keystrokes, active window titles, and session cookies, pushing them upstream via automated git commits on a rigid 30-minute cycle.

This technique allows the campaign to remain practically invisible on standard enterprise networks: “This approach intentionally exploits the inherent trust associated with GitLab’s infrastructure, blending malicious traffic with normal developer activity to evade perimeter controls and avoid takedown.”

At the time of discovery, the primary exfiltration repository contained over 4,100 automated commits tracking at least 90 uniquely compromised host systems.

A review of the repository’s backend layout exposed a meticulous victim management database. The attacker systematically separates incoming data into sorted directories based on target value. The researchers write that “This deliberate organizational behavior confirms human-in-the-loop oversight and prioritization of high-value targets.”

The operational focus is explicitly financial, aggressively prioritizing cryptocurrency account takeovers. Among the compromised folders, researchers identified cleartext trading credentials actively scraped from a German-speaking trader managing live XRP/USDT futures contracts.

The campaign has actively evolved across three distinct operational phases, moving from basic GitHub payload hosting in late 2025 to sophisticated, Caesar-cipher obfuscated GitLab API delivery loops in early 2026.

Because the threat actors leverage ProtonMail-linked handler personas and free South Korean domain hosting structures, traditional infrastructure blocks are insufficient. Network defenders are urged to cross-reference their enterprise logs for unauthorized outbound connections to the hardcoded C2 nodes (161.97.113.34 and 91.107.246.107) , audit local systems for malicious scheduled tasks named TimeZoneRegister, and strictly monitor developer environments for unauthorized automated Git activity.