Previous attacks involving this malware family were observed leveraging malicious versions of the trading app Stockfolio, and security researchers also associated the GMERA Trojan with the activities of North Korean hackers.

Recently identified campaigns featuring the malware involved the use of several websites that distributed malicious applications claiming to provide cryptocurrency trading capabilities.

The cybercriminals built their malicious programs using the Kattana trading application, using it to package their malware. Four different brandings were used in the observed campaigns, namely Cointrazer, Cupatrade, Licatrade and Trezarus.