Stargazer Goblin used over 3,000 fake GitHub accounts to distribute information-stealing malware through password-protected archives. Some accounts continue to run. By using trusted sources and advanced phishing techniques, they managed to contaminate numerous targets with their malware.
Threat actors known as 'Stargazer Goblin' have created a malware Distribution-as-a-Service (DaaS) named Stargazers Ghost Network. They used over 3,000 fake GitHub accounts to push information-stealing malware, leveraging GitHub's trusted reputation to distribute password-protected archives containing malware. GitHub's strong reputation made people more likely to click on links found in the service’s repositories.
Check Point Research discovered the operation. It is the first time a large-scale scheme has been documented running on GitHub. The malware distributed through the Stargazers Ghost Network includes RedLine, Lumma Stealer, Rhadamanthys, RisePro, and Atlantida Stealer. GitHub has taken down over 1,500 malicious repositories since May 2024, but over 200 are active and continue to distribute malware. Users arriving on GitHub repositories through malvertising, Google Search results, YouTube videos, Telegram, or social media are advised to be cautious with file downloads and URLs they click.
After the malware distribution service was discovered, Check Point Research wrote a report, explaining that “the campaigns performed by the Stargazers Ghost Network and malware distributed via this service are extremely successful.”
“In a short period of time, thousands of victims installed software from what appears to be a legitimate repository without suspecting any malicious intent. The heavily victim-oriented phishing templates allow threat actors to infect victims with specific profiles and online accounts, making the infections even more valuable,” says Check Point Research.
Stargazers Ghost Network operates with three 'ghost' accounts, each assigned a distinct role. One account serves the phishing template, another provides the image, and the third serves the malware. Researcher Antonis Terefos said, "The third account, which serves the malware, is more likely to be detected. When this happens, GitHub bans the entire account, repository, and associated releases,” on X. “In response to such actions, Stargazer Goblin updates the first account's phishing repository with a new link to a new active malicious release. This allows the network to continue operating with minimum losses when a malware-serving account is banned,” he explains.
Malware distribution involves various methods and channels to spread malicious software to unsuspecting users. Attackers often use social engineering tactics, such as phishing emails and compromised websites, to lure victims into downloading infected files.
Password-protected archives are commonly used to bypass antivirus software, making detection and prevention more challenging. Once downloaded, the malware can execute harmful actions such as stealing sensitive information, corrupting data, or gaining unauthorized access to systems, highlighting the importance of vigilant cybersecurity practices and robust protective measures.
This event exemplifies the growing sophistication and scale of cyber threats, highlighting vulnerabilities even within trusted platforms like GitHub. Fake accounts and password-protected archives to distribute malware reflect a larger trend of attackers exploiting trusted services and sophisticated social engineering techniques to evade detection and maximize impact. This incident may be part of a broader development where cybercriminals increasingly leverage reputable platforms and advanced methods to distribute malware, emphasizing the need for enhanced security protocols, user education, and collaboration between tech companies to identify and mitigate such threats effectively.
See also: HIPAA Compliant Email: The Definitive Guide
In cybersecurity, a Distribution-as-a-Service (DaaS) refers to a service provided by cybercriminals where they distribute malware on behalf of other threat actors. This allows different malicious entities to leverage a centralized distribution network to reach a wider audience without setting up infrastructure.
Organizations should implement advanced threat detection systems, conduct regular security audits, and provide continuous cybersecurity training to their employees to recognize and respond to sophisticated social engineering attacks.
Users should immediately disconnect their device from the internet, run a comprehensive antivirus scan, and consider restoring their system from a backup. They should also report the suspicious repository to GitHub for further investigation.