APT32, also known as OceanLotus, has launched a sophisticated cyberattack using GitHub to target Chinese cybersecurity professionals. The attack, identified by the ThreatBook Research and Response Team, began in mid-September 2024 and spread across various Chinese industries. APT32’s innovative use of GitHub and Visual Studio project tools marks a significant escalation in their tactics. The attackers embedded a malicious .suo file within a project, triggering execution upon compilation and deleting it to avoid detection.
The attacker, posing as a security researcher from a Chinese FinTech company, created a GitHub account under the name 0xjiefeng in October 2024.
This account forked multiple security tool projects, embedding backdoored Cobalt Strike plugins within the code. The attacker used a deceptive narrative to attract targets within the Chinese cybersecurity community, leveraging their trust in GitHub repositories and development environments like Visual Studio. The malicious code execution was triggered automatically when the project files were opened in Visual Studio.
The attack’s spread was amplified by Chinese blogs and platforms that unknowingly shared the backdoored projects, leading to a wider reach within the community. The attacker cleverly used machine translations to craft descriptions and instructions in Chinese, making the bait more enticing for the target audience. By embedding malicious code in Visual Studio project settings, the attack exploited the automatic loading of these tools to grant remote control over compromised systems.
This tactic allowed the attackers to steal intelligence and control large technology enterprises and cybersecurity research groups in China.
This incident highlights the evolving tactics of APT32 and other state-sponsored actors, who are now weaponizing trusted development tools like GitHub and Visual Studio. The attack underlines the vulnerability of even the most trusted platforms in the face of advanced persistent threats. Cybersecurity professionals and organizations must remain vigilant, updating their systems and tools and implementing robust threat detection measures to prevent similar attacks in the future.
