Stargazers Ghost Network Uses 3,000 GitHub Accounts to Spread Malware

Security experts at Check Point report that the Stargazer Goblin group has created a large-scale service for distributing malware, using over 3,000 GitHub accounts to deliver infostealers. The hackers’ service is called Stargazers Ghost Network. It leverages GitHub repositories and compromised WordPress sites to distribute password-protected archives containing malware. In most cases, the malicious software consists of infostealers, including RedLine, Lumma, Rhadamanthys, RisePro, and Atlantida.

Researchers note that this is the first time such a well-organized and large-scale criminal scheme has been discovered operating through GitHub.

“The campaigns run by Stargazers Ghost Network and the malware distributed through this service are extremely successful,” states the Check Point report. “In a short period, thousands of victims have installed software from seemingly legitimate repositories, unaware of the malicious intent. Victim-targeted phishing templates allow attackers to go after users with specific profiles and online accounts, making these infections even more valuable.”

Since June 2023, Stargazer Goblin members have been actively advertising their malware distribution service on the dark web. However, researchers found evidence of its activity as early as August 2022 and believe that since its launch, the hackers have earned over $100,000.

How Stargazers Ghost Network Operates

According to experts, Stargazer Goblin developed a scheme in which they create hundreds of repositories using 3,000 “ghost accounts.” These accounts add stars, create forks, and follow malicious repositories to boost their apparent legitimacy and increase the chances of appearing in GitHub’s trending section.

• Ghost accounts: These accounts play different roles. One group is responsible for phishing templates, another for phishing images, and a third for the actual malware, giving the scheme resilience.
• Repository names and tags: Malicious repositories use the names of real projects and tags targeting specific interests, such as cryptocurrencies, gaming, and social networks.

The third type of account, which distributes the malware, is more likely to be detected. When this happens, GitHub bans the account, repository, and related releases. In response, Stargazer Goblin updates the phishing repository from the first type of account with a link to a new active malicious release. This allows the scheme to continue operating with minimal disruption when a malware-distributing account is blocked.

Distribution Methods and Attack Flow

Check Point reports that they found a YouTube tutorial for an unnamed program that linked to one of Stargazers Ghost Network’s GitHub repositories. Researchers believe this could be one of many channels used to redirect traffic to phishing repositories and malware-distributing sites.

In one example provided by the researchers, a GitHub repository redirected visitors to a compromised WordPress site, where victims were prompted to download a ZIP archive containing an HTA file with VBScript. This VBScript initiated two PowerShell scripts, ultimately deploying the Atlantida infostealer on the user’s system.

Attack Flow Overview

1. User visits a GitHub repository or follows a link from a tutorial.
2. The repository redirects to a compromised WordPress site.
3. The victim downloads a password-protected ZIP archive.
4. The archive contains an HTA file with VBScript.
5. The script runs PowerShell commands to install the infostealer.

Ongoing Threats and GitHub’s Response

While GitHub’s security team is actively fighting the numerous malicious repositories-removing over 1,500 since May 2024-Check Point notes that more than 200 repositories remain active and continue to distribute malware.