{
  "name": "APT32 Poisoning GitHub, Targeting Chinese Cybersecurity Professionals and Specific Large Enterprises",
  "slug": "apt32-poisoning-github-targeting-chinese-cybersecurity-professionals-and-specific-large-enterprises",
  "description": "APT32 (OceanLotus) has launched a sophisticated attack targeting Chinese cybersecurity professionals and specific large enterprises. The group released a Cobalt Strike exploit plugin with a Trojan on GitHub, embedding a malicious .suo file into a Visual Studio project. When compiled, the Trojan executes automatically. The attack, occurring between mid-September and early October 2024, used GitHub poisoning as the primary vector. The attackers disguised themselves as a security researcher from a leading Chinese FinTech company, publishing malicious projects with Chinese descriptions. The technique involved calling the .suo file, which executes once and then self-deletes, making detection challenging. The malware uses dll hollowing and communicates via the Notion API to evade detection.",
  "published": "2025-01-09T07:56:49+00:00",
  "created_at": "2025-01-09T07:56:49+00:00",
  "modified_at": "2025-01-09T08:38:54+00:00",
  "created_at_opencti": "2025-01-09T07:56:49+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-01-09",
    "cobalt strike",
    "dll hollowing",
    "notion api",
    "oceanlotus"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "ab138766-9b64-4880-87fb-1942a709d778",
        "name": "Cobalt Strike - S0154",
        "slug": "cobalt-strike-s0154"
      }
    ],
    "intrusion_sets": [
      {
        "id": "9a821557-32bc-408b-b248-eaa7b91d60d3",
        "name": "APT32",
        "slug": "apt32"
      }
    ],
    "attack_patterns": [
      {
        "id": "2ccc4626-0e86-4148-a5a8-2aa270e22dbd",
        "name": "T1588.001"
      },
      {
        "id": "d19f56ca-5ce8-4bd1-af90-7d83e394470c",
        "name": "T1583.001"
      },
      {
        "id": "02abb0a8-0ebf-433b-987f-e25675af60d6",
        "name": "T1055.001"
      },
      {
        "id": "de38dd3a-41d7-4621-8a00-a32d7f0ff420",
        "name": "T1102.002"
      },
      {
        "id": "c22b5073-f426-4294-98bb-219d17345158",
        "name": "T1553.002"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "a72ebeae-8e62-4039-8135-e9c611011fdc",
        "name": "T1573"
      },
      {
        "id": "a7262c61-4567-4a00-8cec-aae6264234a9",
        "name": "T1218"
      },
      {
        "id": "dc410646-9cdd-427b-92e7-179a54f78f90",
        "name": "T1566.001"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "China"
      },
      {
        "id": "",
        "name": "Technology"
      }
    ]
  },
  "external_refs": [
    "https://threatbook.io/blog/id/1100",
    "https://otx.alienvault.com/pulse/677f8f51560c6b5abcb3a87c"
  ]
}