APT32 Abuses GitHub Infrastructure to Launch Targeted Strikes on Cybersecurity Experts and Corporations - cyberpress.org

APT32 Abuses GitHub Infrastructure to Launch Targeted Strikes on Cybersecurity Experts and Corporations By Mandvi April 10, 2025 Categories: APTCyber Security NewsCybersecurityGitHub OceanLotus, also known as APT32, a Southeast Asian advanced persistent threat (APT) group, has recently launched a sophisticated targeted attack against cybersecurity researchers and large corporations in China. The attack, first detected in mid-2024, involved weaponizing GitHub infrastructure to distribute malicious code embedded in Visual Studio project files. ThreatBook Research and Response Team identified the operation as an intelligence theft campaign aimed at compromising cybersecurity experts and stealing sensitive information through remote control capabilities. The Attack Mechanism The attackers leveraged GitHub for hosting poisoned repositories, posing as security professionals from a Chinese FinTech company. The adversaries registered a GitHub account under the username “0xjiefeng,” where they cloned legitimate security tools and added malicious plugins targeting Chinese red team tools like Cobalt Strike. These plugins contained a Trojan embedded in .suo files within Visual Studio project directories. Victims triggered the Trojan upon opening .sln or .csproj files using Visual Studio, initiating automatic execution of the malicious code. Chinese expressions in the project The .suo file (Solution User Options) utilized in this attack was an innovative and concealed technique, marking the first time such a method was observed in a malicious campaign. Once executed, the Trojan overwrote and deleted itself to avoid detection. The attackers employed a deserialization method using BinaryFormatter encoded in base64 to load the malicious payload. ThreatBook discovered that the attackers further obfuscated their intentions by incorporating Chinese descriptions in the project documentation, although traces of machine translation were evident. Despite the deletion of malicious repositories from GitHub, the poisoned code had already spread among cybersecurity blogs and victim repositories, amplifying the attack’s reach. Technical Analysis Upon execution, the malicious components were deposited in the directory C:\Users\Public\TTDIndexerX64 with files such as TraceIndexer.exe and TTDReplay.dll. Registry entries were created to ensure persistence. OceanLotus employed DLL hollowing techniques by overwriting memory within the system library xpsservices.dll to execute the payload silently. For command-and-control (C2) communication, the attackers used the cloud-based note-taking platform Notion to embed instructions and evade detection. The API interaction with Notion enabled encrypted transmission between infected systems and OceanLotus infrastructure. ThreatBook’s mapping analysis revealed correlated malicious assets and ports, suggesting a deliberate deployment timeline from mid-September to October 2024. The campaign specifically targeted cybersecurity researchers, large technology enterprises, and government agencies in China. Samples were designed to check the victim’s computer names and profiles to verify target relevance, ensuring maximum impact. This attack saw extensive dissemination of poisoned projects across cybersecurity forums and blogs within China, increasing visibility and potential exposure. Chinese cybersecurity blogs Indicators of Compromise (IoC) Key IoCs associated with the OceanLotus campaign include: Page ID for Notion communication: 11f5edabab708090b982d1fe423f2c0b Malicious C2 infrastructure: 190.211.254.203:4443 45.41.204.18:8443 45.41.204.15:443 178.255.220.115:443 103.91.67.74:4443 154.93.37.106:443 193.138.195.192:8443 38.54.59.112:80 OceanLotus demonstrated strong intent to compromise high-value targets by deploying customized payloads and leveraging unique tactics. ThreatBook’s platforms, including its Threat Detection Platform (TDP), Threat Intelligence Platform (TIP), and DNS-based Secure Web Gateway (OneDNS), have incorporated these IoCs to detect and counter this threat effectively. The APT32 operation underscores the need for heightened vigilance among cybersecurity professionals, particularly when interacting with open-source repositories. Security researchers must ensure robust validation of tools and files sourced from platforms like GitHub to prevent compromising their systems and sensitive data. Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates Share Facebook Twitter Pinterest WhatsApp Mandvi Mandvi is a Security Reporter covering data breaches, malware, cyberattacks, data leaks, and more at Cyber Press. Recent Articles How to Find an Affordable, Easy to Deploy PAM in 2026 (and What to Avoid)  Technology March 16, 2026 Cyberattack Targets Poland’s Nuclear Research Center, Investigation Underway Cyber Attack March 16, 2026 Betterleaks: New Open-Source Tool for Scanning Files, Directories, and Git Repositories Cyber Security News March 16, 2026 Android 17 Launches Advanced Protection Mode to Stop Malicious Service Exploits Cyber Security News March 16, 2026 Google Looker Studio Vulnerabilities Enable Attackers to Exfiltrate Data from Google Services Cyber Security News March 16, 2026 Related Stories Cyber Attack Cyberattack Targets Poland’s Nuclear Research Center, Investigation Underway AnuPriya - March 16, 2026 Cyber Security News Betterleaks: New Open-Source Tool for Scanning Files, Directories, and Git Repositories AnuPriya - March 16, 2026 Cyber Security News Android 17 Launches Advanced Protection Mode to Stop Malicious Service Exploits AnuPriya - March 16, 2026 Cyber Security News Google Looker Studio Vulnerabilities Enable Attackers to Exfiltrate Data from Google Services AnuPriya - March 16, 2026 Cyber Security News Real-Time Phishing Campaigns Use Fake Shipment Alerts To Steal Banking Data In MEA Varshini - March 16, 2026 Cyber Security News Indirect Prompt Injection Attacks Cause OpenClaw AI Agents to Leak Sensitive Data AnuPriya - March 16, 2026 LEAVE A REPLY Comment: Name:* Email:* Website: