The APT32 (OceanLotus) has launched a novel campaign weaponizing GitHub repositories to distribute malware to cybersecurity researchers and enterprises. This operation represents a strategic shift from the group’s historical focus on Southeast Asian government and corporate targets, instead exploiting the trust inherent in open-source platforms to infiltrate specialized defense communities. The malware, detected by ThreatBook analysts as Trojan.CobaltGate, employs a multi-stage infection chain beginning with socially engineered GitHub repositories posing as legitimate penetration testing tools.