APT32 Poisoning GitHub, Targeting Chinese Cybersecurity Professionals and Specific Large Enterprises
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
APT32 (OceanLotus) has launched a sophisticated attack targeting Chinese cybersecurity professionals and specific large enterprises. The group released a Cobalt Strike exploit plugin with a Trojan on GitHub, embedding a malicious .suo file into a Visual Studio project. When compiled, the Trojan executes automatically. The attack, occurring between mid-September and early October 2024, used GitHub poisoning as the primary vector. The attackers disguised themselves as a security researcher from a leading Chinese FinTech company, publishing malicious projects with Chinese descriptions. The technique involved calling the .suo file, which executes once and then self-deletes, making detection challenging. The malware uses dll hollowing and communicates via the Notion API to evade detection.
OPENCTI LABELS :
cobalt strike,dll hollowing,oceanlotus,notion api
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
APT32 Poisoning GitHub, Targeting Chinese Cybersecurity Professionals and Specific Large Enterprises