Stargazer Goblin has created a large-scale malware Distribution-as-a-Service (DaaS) operation known as Stargazers Ghost Network, leveraging over 3,000 fake GitHub accounts. These accounts push information-stealing malware via GitHub repositories and compromised WordPress sites. The malware, including RedLine, Lumma Stealer, and Atlantida Stealer, is distributed through password-protected archives, which are less likely to raise suspicion due to GitHub’s reputation as a trusted service.
The operation involves creating numerous repositories with malicious content under the guise of legitimate projects related to cryptocurrency, gaming, and social media. The fake accounts, which are strategically used to increase the visibility of these repositories, are segmented into roles such as serving phishing templates and distributing malware. This division of labor helps maintain the network’s effectiveness and resilience, even when some accounts are banned by GitHub.
Check Point Research highlights that this organized scheme has been active since at least August 2022 and has generated substantial profits, estimated over $100,000. The attackers have implemented tactics to evade detection, including updating phishing repositories with new malicious links whenever accounts are flagged and banned. The presence of the network’s links in YouTube tutorials and other platforms indicates a broader strategy to direct traffic to these malicious repositories.
Despite GitHub’s efforts to remove more than 1,500 fake repositories since May 2024, over 200 continue to distribute malware. Users are advised to be cautious with file downloads from such repositories, especially with password-protected archives, and to use virtual machines or tools like VirusTotal to scan contents for malware. The persistence of this threat underscores the need for vigilance in verifying the legitimacy of online sources and files.
Reference:
