OceanLotus, also known as APT32, a Southeast Asian advanced persistent threat (APT) group, has recently launched a sophisticated targeted attack against cybersecurity researchers and large corporations in China.
The attack, first detected in mid-2024, involved weaponizing GitHub infrastructure to distribute malicious code embedded in Visual Studio project files.
ThreatBook Research and Response Team identified the operation as an intelligence theft campaign aimed at compromising cybersecurity experts and stealing sensitive information through remote control capabilities.
The Attack Mechanism
The attackers leveraged GitHub for hosting poisoned repositories, posing as security professionals from a Chinese FinTech company.
The adversaries registered a GitHub account under the username “0xjiefeng,” where they cloned legitimate security tools and added malicious plugins targeting Chinese red team tools like Cobalt Strike.
These plugins contained a Trojan embedded in .suo files within Visual Studio project directories.
Victims triggered the Trojan upon opening .sln or .csproj files using Visual Studio, initiating automatic execution of the malicious code.
The .suo file (Solution User Options) utilized in this attack was an innovative and concealed technique, marking the first time such a method was observed in a malicious campaign.
Once executed, the Trojan overwrote and deleted itself to avoid detection. The attackers employed a deserialization method using BinaryFormatter encoded in base64 to load the malicious payload.
ThreatBook discovered that the attackers further obfuscated their intentions by incorporating Chinese descriptions in the project documentation, although traces of machine translation were evident.
Despite the deletion of malicious repositories from GitHub, the poisoned code had already spread among cybersecurity blogs and victim repositories, amplifying the attack’s reach.
Technical Analysis
Upon execution, the malicious components were deposited in the directory C:\Users\Public\TTDIndexerX64 with files such as TraceIndexer.exe and TTDReplay.dll.
Registry entries were created to ensure persistence. OceanLotus employed DLL hollowing techniques by overwriting memory within the system library xpsservices.dll to execute the payload silently.
For command-and-control (C2) communication, the attackers used the cloud-based note-taking platform Notion to embed instructions and evade detection.
The API interaction with Notion enabled encrypted transmission between infected systems and OceanLotus infrastructure.
ThreatBook’s mapping analysis revealed correlated malicious assets and ports, suggesting a deliberate deployment timeline from mid-September to October 2024.
The campaign specifically targeted cybersecurity researchers, large technology enterprises, and government agencies in China.
Samples were designed to check the victim’s computer names and profiles to verify target relevance, ensuring maximum impact.
This attack saw extensive dissemination of poisoned projects across cybersecurity forums and blogs within China, increasing visibility and potential exposure.
Indicators of Compromise (IoC)
Key IoCs associated with the OceanLotus campaign include:
- Page ID for Notion communication: 11f5edabab708090b982d1fe423f2c0b
- Malicious C2 infrastructure:
- 190.211.254.203:4443
- 45.41.204.18:8443
- 45.41.204.15:443
- 178.255.220.115:443
- 103.91.67.74:4443
- 154.93.37.106:443
- 193.138.195.192:8443
- 38.54.59.112:80
OceanLotus demonstrated strong intent to compromise high-value targets by deploying customized payloads and leveraging unique tactics.
ThreatBook’s platforms, including its Threat Detection Platform (TDP), Threat Intelligence Platform (TIP), and DNS-based Secure Web Gateway (OneDNS), have incorporated these IoCs to detect and counter this threat effectively.
The APT32 operation underscores the need for heightened vigilance among cybersecurity professionals, particularly when interacting with open-source repositories.
Security researchers must ensure robust validation of tools and files sourced from platforms like GitHub to prevent compromising their systems and sensitive data.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
 group, has recently launched.){kind=link}