25 July 2024

Stargazer Goblin launch malware distribution-as-a-service via GitHub


Stargazer Goblin launch malware distribution-as-a-service via GitHub

A threat actor known as 'Stargazer Goblin' have orchestrated a sophisticated malware distribution-as-a-service (DaaS) operation using over 3,000 fake GitHub accounts. The campaign, discovered by Check Point Research, employs GitHub repositories and compromised WordPress sites to distribute password-protected archives laden with information-stealing malware.

Dubbed the Stargazers Ghost Network, the operation leverages various malware variants such as RedLine, Lumma Stealer, Rhadamanthys, RisePro, and Atlantida Stealer.

The operation is believed to have started in August 2022, with core GitHub Ghost accounts suggesting initial development or testing. An advertisement for the service appeared on dark web forums on July 8, 2023, posted by an account created just a day earlier. Monitoring campaigns between mid-May and mid-June 2024 revealed that Stargazer Goblin earned approximately $8,000. However, this is likely a fraction of their total earnings, estimated to be around $100,000 over the operation's lifespan.

The Stargazers Ghost Network is part of a broader ecosystem of Ghost accounts operating across multiple platforms, constructing a larger DaaS universe. The research team identified over 2,200 malicious repositories associated with Ghost activities during the investigation. A campaign in January 2024 saw the distribution of Atlantida Stealer, a new malware family that steals user credentials, cryptocurrency wallets, and other personally identifiable information (PII). In just four days, this campaign infected over 1,300 victims.

Malicious links to the GitHub repositories were likely distributed via Discord channels, targeting victims looking to boost their followers on YouTube, Twitch, and Instagram, or seeking cracked software and crypto-related activities.

The Stargazers Ghost Network enhances its perceived legitimacy by “starring” and “verifying” malicious links through multiple GitHub accounts.

The network frequently repurposes identical tags and images, shifting the target audience from one platform or software to another, suggesting automated operations for efficiency and scalability.

Each Ghost-Stargazer within the network engages with multiple repositories, with a significant portion clearly involved in malicious activities.

“The network’s maintenance and recovery process appears to be automatic, detecting banned accounts/repositories and fixing them when necessary. Using different account roles ensures there is only minimal damage when and if GitHub takes action against accounts or repositories that violated its rules,” the researchers said.


Back to the list

Latest Posts

UAC-0185 targets Ukrainian defense forces and defense industry sector

UAC-0185 targets Ukrainian defense forces and defense industry sector

The emails included a malicious link, clicking on which triggered the download of malware.
9 December 2024
New malware botnet Socks5Systemz powers illegal proxy service

New malware botnet Socks5Systemz powers illegal proxy service

The botnet relies on loaders like PrivateLoader, SmokeLoader, and Amadey to persist on compromised systems.
9 December 2024
A new technique can bypass existing isolation mechanisms in modern browsers

A new technique can bypass existing isolation mechanisms in modern browsers

The method works across all types of browser isolation.
9 December 2024