Stargazer Goblin Exploits GitHub for Malware Distribution
An ongoing cyber threat has emerged from a group known as Stargazer Goblin, which has established an extensive network of fraudulent GitHub accounts for the distribution of various types of information-stealing malware. Over the past year, this operation is estimated to have generated around $100,000 in illicit revenue. The attackers have created a formidable infrastructure comprising more than 3,000 accounts across thousands of repositories on the cloud-based code hosting platform.
According to Check Point, a cybersecurity firm that identified this operation, the network is referred to as the "Stargazers Ghost Network." The malicious accounts serve to share links to malware and other harmful content. Notable malware families that have been propagated through this scheme include Atlantida Stealer, Rhadamanthys, Lumma Stealer, RedLine, and RisePro. The bogus accounts not only distribute malware but also engage in seemingly legitimate activities, such as starring and forking repositories to bolster their credibility.
The network is suspected to have been operational since at least August 2022, although its full capabilities emerged in early July 2023. Security researcher Antonis Terefos indicated that the network effectively camouflages its malicious intentions under a veil of legitimacy. The accounts not only disseminate malware but also simultaneously enact behaviors identical to regular users, which helps obscure their true purpose.
To fortify their operation against detection and takedown by GitHub, different categories of accounts are allocated specific roles within the scheme. For instance, certain accounts are specifically designated to host phishing templates while others upload malware disguised as password-protected software or game cheats. When malicious accounts face bans, the operators adeptly modify their phishing repositories to maintain continuous access to their victims.
Interestingly, there is evidence suggesting that some of these accounts were previously compromised, with credentials likely obtained through stealer malware. Terefos noted a discernible pattern: while various accounts remain operative even after bans, certain accounts tied directly to repository content, such as commit and release accounts, are considerably more vulnerable to detection and removal.
One of the observed tactics involves redirecting victims to a malicious GitHub repository, which points to a PHP script on a compromised WordPress site that subsequently delivers an HTA file for executing malware via PowerShell. The encompassing strategy extends beyond just GitHub; the infrastructure uses similar ‘Ghost’ accounts across other platforms, including Discord, Facebook, Instagram, X (formerly Twitter), and YouTube.
The sophistication of this operation reflects a notable trend whereby attackers leverage legitimate platforms like GitHub to bypass scrutiny while actively executing their malicious objectives. The measures taken to create a layered defense across various accounts mean that disruptions to one aspect of their operation often do not significantly impede their overall capability.
In a broader context, this situation highlights ongoing vulnerabilities facing organizations involved with or using GitHub, especially given reports of threat actors targeting repositories for extortion. Recent incidents have featured phishing attacks that mislead developers into compromising their repositories under the pretense of job offers. Furthermore, there have been alarming revelations regarding the accessibility of sensitive data even from deleted forks and repositories, raising critical concerns about data security in development environments.
In light of these events, understanding the threat landscape through frameworks like the MITRE ATT&CK Matrix becomes imperative for cybersecurity professionals. Initial access techniques, persistence, and privilege escalation are among the tactics potentially employed by these threat actors. Consequently, it is vital for business owners to remain vigilant and proactive in safeguarding their digital assets against evolving cyber threats.
