A threat actor dubbed “Stargazer Goblin” has orchestrated a sophisticated scheme using over 3,000 fake GitHub accounts to distribute various types of information-stealing malware, amassing illicit profits of $100,000 in the past year.
Known as the “Stargazers Ghost Network,” this operation involves thousands of repositories on GitHub, which are used to disseminate malicious links and malware. The network’s activities include starring, forking, watching, and subscribing to these repositories to give them a semblance of legitimacy, according to a report by Check Point.
The campaign, active since August 2022, started advertising its Distribution-as-a-Service (DaaS) model on the dark web in July 2023. This DaaS distributes malware families such as Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine.
Antonis Terefos, a security researcher, explained that the “Ghost” accounts mimic normal user activity to avoid detection, making the malicious repositories appear legitimate. Different sets of accounts manage various aspects of the operation, such as phishing templates and malware distribution, ensuring resilience against GitHub’s takedown efforts.
When GitHub bans these malicious accounts, Stargazer Goblin quickly updates the phishing repositories with new links, maintaining the network’s functionality with minimal disruption. This sophisticated operation uses multiple accounts to minimize losses, as usually only one part of the network is affected by GitHub’s actions at any time.
Check Point also discovered that some compromised accounts, with credentials likely stolen via stealer malware, are used to update malicious links and continue the distribution process. One identified campaign used a GitHub repository link to deliver the Atlantida Stealer malware via a PowerShell script.
The Stargazers Ghost Network extends beyond GitHub, with similar operations running on platforms like Discord, Facebook, Instagram, X, and YouTube, highlighting the widespread nature of this DaaS model.
Additionally, new extortion operations have emerged targeting GitHub repositories, wiping contents, and demanding ransom through Telegram. These attacks often start with phishing emails designed to trick developers into authorizing malicious OAuth apps.
Recent advisories highlight vulnerabilities within GitHub’s repository structure, such as the Cross Fork Object Reference (CFOR) vulnerability, which allows access to sensitive data from deleted or private repositories.
These incidents underscore the need for robust security measures and vigilant monitoring of third-party services to protect against such sophisticated cyber threats.