APT32 Poisoning GitHub, Targeting Chinese Cybersecurity Professionals and Specific Large Enterprises
Jan. 9, 2025, 9:38 a.m.
Tags
External References
Description
APT32 (OceanLotus) has launched a sophisticated attack targeting Chinese cybersecurity professionals and specific large enterprises. The group released a Cobalt Strike exploit plugin with a Trojan on GitHub, embedding a malicious .suo file into a Visual Studio project. When compiled, the Trojan executes automatically. The attack, occurring between mid-September and early October 2024, used GitHub poisoning as the primary vector. The attackers disguised themselves as a security researcher from a leading Chinese FinTech company, publishing malicious projects with Chinese descriptions. The technique involved calling the .suo file, which executes once and then self-deletes, making detection challenging. The malware uses dll hollowing and communicates via the Notion API to evade detection.
Date
Published: Jan. 9, 2025, 8:56 a.m.
Created: Jan. 9, 2025, 8:56 a.m.
Modified: Jan. 9, 2025, 9:38 a.m.
Attack Patterns
Cobalt Strike - S0154
APT32
T1588.001
T1583.001
T1055.001
T1102.002
T1553.002
T1547.001
T1204.002
T1573
T1218
T1566.001
T1055
T1036
T1140
T1027
T1566
T1190
T1059
Additional Informations
Technology
China