A cybercriminal known as “Stargazer Goblin” has been operating the Stargazers Ghost Network on GitHub since at least June 2023, distributing malware to Windows users through over 3,000 fake accounts.
Description
Utilizing tools such as RedLine, Lumma Stealer [3], Rhadamanthys [2] [3], RisePro [3], and Atlantida Stealer [2] [3] [4], the network poses threats such as ransomware infections, stolen credentials [1] [4], and compromised cryptocurrency wallets [1] [4]. Stargazer Goblin charges other hackers for services, potentially earning up to $100,000, with monthly earnings around $8,000 [6]. The adversary also takes over legitimate GitHub accounts using stolen login details to spread malicious code, with tactics like starring [2], forking [2] [4] [5] [6], and watching repositories likely automated to appear as genuine user behavior [6]. GitHub is actively working to detect and remove malicious content and accounts violating its policies, but over 200 malicious repositories remain active. The Stargazers Ghost Network represents a new trend in malware distribution, utilizing ghost accounts to create the illusion of popularity and trustworthiness [4]. The network has been distributing malware and phishing links since at least June 2023 [4], with operations dating back to around August 2022 [4]. The network’s estimated earnings during a campaign in January 2024 were around $8,000, with a total believed earnings of approximately $100,000 [4]. Various tactics are employed to spread malware, including using malicious links in README.md files and password-protected archives in the Releases section of repositories [4].
Conclusion
This discovery highlights the evolving tactics of threat actors leveraging legitimate platforms like GitHub for malicious purposes [4], emphasizing the need for robust cybersecurity measures and vigilant monitoring of software distribution platforms [4]. Users are advised to exercise caution when downloading files from GitHub repositories linked through malicious ads [3], search results [3], YouTube videos [3], Telegram [3] [5], or social media [1] [3] [5] [6], especially for password-protected files that cannot be scanned by antivirus software [3].
References
[1] https://blog.checkpoint.com/security/the-hidden-menace-of-phantom-attackers-on-github-by-stargazers-ghost-network/
[2] https://www.darkreading.com/application-security/stargazer-goblin-amasses-rogue-github-accounts-to-spread-malware
[3] https://www.hfrance.fr/es/mas-de-3-000-cuentas-de-github-utilizadas-por-el-servicio-de-distribucion-de-malware.html
[4] https://cybersecuritynews.com/stargazers-ghost-github/
[5] https://voxvine.com/tech/a-hacker-ghost-network-is-quietly-spreading-malware-on-github/
[6] https://www.wired.com/story/github-malware-spreading-network-stargazer-goblin/
