A threat actor, Stargazer Goblin, has been caught setting up a network of around 3,000 fake GitHub accounts to run a distribution-as-a-service (DaaS) network that spreads different information-stealing malware. The attacker has reportedly made over $100,000 in profits from the network so far.
The accounts share 2,200 repositories with different malware families, including Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine. Based on the accounts, researchers believe that the network has been active since at least August 2022, although the first ads for the DaaS were published on the dark web on July 8, 2023.
The campaigns launched from the network are also highly effective. During a campaign in January 2024, the network distributed Atlantida Stealer, a new malware family that steals user credentials and crypto wallet along with other personally identifiable information (PII). The campaign lasted less than four days but was able to affect more than 1,300 victims.
GitHub has been used to deliver malicious code for a while now. Threat actors usually create a repository not intending to lure victims to it but to deliver code via automated scripts instead. The Stargazers Ghost Network, however, uses a different approach. It provides a malicious repository where a certain malicious link might be starred and verified by multiple GitHub accounts, adding more legitimacy.
While the underlying template has remained largely the same, and the network uses identical tags, the “target audience” is switched from one social media program to another. Cracked programs and game cheats are also being distributed using the same template, suggesting that the network operator has automated these activities, ensuring efficiency and scalability.
Researchers have also observed that the malicious repositories and Stargazer accounts remain relatively unaffected by GitHub bans and takedowns. Commit and Release accounts are usually banned when their malicious repositories are detected. The network roles are set up to avoid being caught by GitHub’s security measurements.
In the News: Proofpoint servers exploited to send millions of phishing emails