In a startling revelation, cybersecurity experts have uncovered a sophisticated malware distribution network known as the Stargazers Ghost Network.
Operated by the threat actor dubbed “Stargazer Goblin,” this elaborate scheme involves over 3,000 fake GitHub accounts used to disseminate a variety of information-stealing malware.
This operation, which has reportedly netted around $100,000 in illicit profits over the past year, employs a Distribution-as-a-Service (DaaS) model to perpetuate its activities.
The Structure and Functioning of Stargazers Ghost Network
The Stargazers Ghost Network is a massive operation built on the cloud-based code hosting platform GitHub. The network spans thousands of repositories where malicious links and malware are distributed.
This setup is designed to evade detection and maintain a facade of legitimacy. Check Point Research, which has identified and analyzed this network, notes that these fake accounts are involved in various activities including starring, forking, watching, and subscribing to repositories to make them appear genuine.
Among the malware families propagated by this network are Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine. The Stargazer Goblin group meticulously creates and maintains these fake accounts to support their malicious activities, often updating them to circumvent bans and detection.
Initially, threat actors used GitHub to distribute malware directly. However, their tactics have evolved significantly. Today, they operate a network of so-called “Ghost” accounts that distribute malware through seemingly innocuous links and encrypted archives. As security researcher Antonis Terefos explains, “This network not only distributes malware but also engages in activities that make these ‘Ghost’ accounts appear as normal users, lending a false sense of legitimacy to their actions.
The network’s strategy involves multiple accounts with different roles. One account might handle the phishing repository template, another provides images used in phishing schemes, and a third serves as the malware distributor. This division of labor ensures that the operation can quickly adapt to disruptions and continue its activities with minimal loss.
Impact and Reach of the Stargazers Ghost Network
The Stargazers Ghost Network has had a substantial impact. For instance, during a campaign in January 2024, the network distributed Atlantida Stealer, a new malware variant designed to steal user credentials and cryptocurrency wallets. Within just four days, over 1,300 victims were compromised. The network’s influence extends beyond GitHub, with similar ghost accounts operating across various platforms like Discord, Facebook, Instagram, X (formerly Twitter), and YouTube, creating an extensive DaaS ecosystem.
Check Point’s findings reveal that the network not only spreads malware but also manipulates GitHub’s features to enhance the credibility of its repositories. By using multiple accounts to “star” and interact with malicious repositories, they create an illusion of legitimacy, making it more likely that victims will download and execute malicious software.
The revelations about the Stargazers Ghost Network come amid other cybersecurity concerns. For instance, recent reports indicate that unknown actors are targeting GitHub repositories for extortion. These attacks involve phishing emails and fraudulent OAuth applications that wipe repository contents and demand ransom payments for restoration. Additionally, vulnerabilities related to Cross Fork Object Reference (CFOR) have been highlighted, showing that sensitive data can sometimes be accessed even from deleted or private repositories.
Joe Leon of Truffle Security notes, “A CFOR vulnerability occurs when one repository fork can access sensitive data from another fork, including data from private and deleted forks. This underscores the importance of understanding the boundaries of data visibility on platforms like GitHub.”
