A new wave of cyberattacks has emerged, leveraging GitHub as an attack vector to deliver malware specifically crafted for cybersecurity professionals and enterprise networks. This campaign, attributed to the threat group known as APT32 (also referred to as OceanLotus), marks a shift from their traditional focus on Southeast Asia, instead targeting the global cybersecurity community through weaponized open-source repositories.
Analysts have identified a new malware strain, dubbed Trojan.CobaltGate, which uses a highly deceptive multi-stage infection process. The attackers set up GitHub repositories that appear to offer legitimate red-teaming or penetration testing tools. These repositories feature staged contributor activity, fake stars, and engagement through Issues and Discussions, enhancing their credibility among security researchers.
Multi-Stage Attack Flow
Stage 1: Reconnaissance
A PowerShell script within the repository initiates by gathering system domain and user data, encoding it, and sending it to attacker-controlled GitHub Pages masked as analytics services.
Stage 2: Persistence and Evasion
In this stage, a malicious DLL is loaded into memory via a fake Visual Studio Code extension. It uses API hooking and masquerades as Microsoft software to bypass endpoint detection solutions.
Stage 3: Covert Communication
The final phase involves establishing communication with a command-and-control (C2) server using GitHub’s own REST API. OAuth tokens from compromised developer accounts allow the malware to fetch commands hidden in GitHub Issues under the guise of legitimate updates. Encryption for these channels is achieved using elliptic-curve Diffie-Hellman key exchange encoded within comments.
Threat Implications
This operation demonstrates a dangerous trend where attackers weaponize trusted platforms like GitHub, turning them into vectors for stealthy cyber intrusions. Traditional detection methods based on known malicious IPs or signatures are rendered ineffective when attacks are delivered through commonly used services and APIs.
Experts recommend that organizations implement behavioral analytics for code repositories, track anomalous API token usage, and monitor unusual actions in GitHub workflows. As open-source platforms continue to be vital to development and security research, their misuse also increases, demanding greater vigilance from enterprise security teams worldwide.
