Analysis Summary

APT32, also known as OceanLotus, has pivoted its focus beyond the Southeast Asian government and corporate sectors by launching a sophisticated campaign targeting cybersecurity researchers and enterprises through trusted open-source platforms like GitHub.

 Identified by the Researcher as Trojan.CobaltGate, the campaign, exploits socially engineered GitHub repositories masquerading as legitimate red-teaming tools. These repositories are laced with obfuscated malicious PowerShell and Visual Basic scripts, distributed through poisoned accounts that leverage GitHub’s Issues and Discussions to fabricate authenticity using fake contributors and inflated star ratings.

The infection chain unfolds in three distinct stages. Initially, victims are lured into cloning repositories containing a setup.ps1 script. This script performs environment reconnaissance using WMI to gather system and domain data, which is base64-encoded and sent to attacker-controlled GitHub Pages domains disguised as analytics platforms.

In the second stage, a memory-resident DLL is sideloaded via a spoofed Visual Studio Code extension, embedding persistence and EDR evasion mechanisms. The DLL employs API hooking and uses forged Microsoft telemetry certificates to camouflage its operations from security products.

In the final stage, the malware establishes covert C2 communication by abusing GitHub’s REST API, using OAuth tokens stolen from compromised developer accounts. Commands are retrieved from issue comments labeled as “update,” with ECDH-based encryption used to secure communication. This method allows the malware to blend in with regular API activity, circumventing detection mechanisms that typically trust GitHub domains.

This campaign exemplifies a paradigm shift in cyber-espionage tactics, using trusted collaborative platforms as both delivery vectors and communication channels. It underscores the need for organizations to move beyond conventional IoC-based defenses. Security teams are urged to deploy advanced monitoring tools that evaluate contributor behavior, scan repositories for suspicious activity, and flag abnormal OAuth token use and GitHub Actions workflows. With over 87 million developers relying on GitHub, this campaign marks a critical warning about the dual-use nature of popular development ecosystems in modern cyber warfare.

Impact

• Sensitive Data Theft
• Privilege Escalation
• Gain Access

Indicators of Compromise

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Anomalous commit histories and obfuscated scripts.
• Detect unusual access patterns.
• Disable automatic workflow triggers for untrusted repositories.
• Use organization-level policies to prevent unauthorized workflow executions.
• Detecting malicious PowerShell or VBScript execution.
• Flagging memory-resident DLL sideloading and API hooking attempts.
• Suspicious or excessive API requests.
• Hidden command-and-control (C2) communication patterns in REST API calls
• Only allow installation and execution of signed extensions in tools like Visual Studio Code to prevent spoofed DLL sideloading.
• Spot social engineering attempts via GitHub.
• Verify the authenticity of red-teaming and penetration testing tools.
• Clone and inspect repositories in sandboxed environments.
• Perform static and dynamic analysis of installer scripts and embedded binaries.