APT32 Poisoning GitHub, Targeting Chinese Cybersecurity Professionals and Specific Large Enterprises

Description

APT32 (OceanLotus) has launched a sophisticated attack targeting Chinese cybersecurity professionals and specific large enterprises. The group released a Cobalt Strike exploit plugin with a Trojan on GitHub, embedding a malicious .suo file into a Visual Studio project. When compiled, the Trojan executes automatically. The attack, occurring between mid-September and early October 2024, used GitHub poisoning as the primary vector. The attackers disguised themselves as a security researcher from a leading Chinese FinTech company, publishing malicious projects with Chinese descriptions. The technique involved calling the .suo file, which executes once and then self-deletes, making detection challenging. The malware uses dll hollowing and communicates via the Notion API to evade detection.