Malware crew Stargazers Goblin used 3,000 GitHub accounts to make bank

Infosec researchers have discovered a network of over three thousand malicious GitHub accounts used to spread malware, targeting groups including gamers, malware researchers, and even other threat actors who themselves seek to spread malware.

The research, penned by Antonis Terefos of Check Point Software, named the collection of GitHub accounts "Stargazer Ghost Network" and asserted it's operated by a threat actor the cyber security firm labelled "Stargazer Goblin."

Whatever it's called, the motley crew behind this effort has adopted two novel tactics.

One is phishing without email. Terefos opined that email is viewed with suspicion, so Stargazer Goblin posts nasty links on services such as Discord. Targets are folks who "wanted to increase their 'followers audience' in Twitch, Instagram, YouTube, Twitter, Trovo, and TikTok or use other tool-related features for Kick Chat, Telegram, Email, and Discord."

If those targets click on a link, they encounter Stargazer Goblin's second evil innovation: a network of deceptively harmless GitHub accounts. In reality the accounts perform discrete functions that help spread malware, but aren't so obviously evil that the coding collaboration service shuts them down.

Some of them are even starred or verified by other GitHub accounts, giving them an air of legitimacy.

But they contain danger. The researcher observed some of repositories contained a README.md file containing "a phishing download link that does not even redirect to the repository's own releases. Instead, it uses three GitHub Ghost accounts with different 'responsibilities'."

1. The first account serves the "phishing" repository template;
2. The second account provides the "image" used for the phishing template;
3. The third account serves malware as a password-protected archive in a Release.

And when victims access that archive … you know what comes next.

• GitHub struggles to keep up with automated malicious forks
• Over 170K users caught up in poisoned Python package ruse
• Luca Stealer malware spreads rapidly after code handily appears on GitHub
• Cryptojackers steal AWS credentials from GitHub in 5 minutes

The multi-account structure means Stargazer Goblin can "quickly 'fix' any broken links that may occur due to accounts or repositories being banned for malicious activities," Terefos wrote. It also means the network can quickly replace compromised components, probably using automation meaning takedowns of dangerous accounts don't disrupt malware-distribution operations.

Generative AI might have also been used to create legitimate-looking repositories and accounts – and perhaps to even create custom responses to real users.

It works, dammit

One such campaign was highly successful. Over a four-day period in January 2024, Check Point observed the Stargazer Ghost Network distribute Atlantida stealer – a novel malware family that steals user credentials and cryptocurrency wallets along with other personal identifiable information – and secure over 1,300 infections.

Around the same time, another campaign was launched to spread Rhadamanthys across repositories that were ostensibly for cracked software and crypto trading tools. Over a thousand users downloaded the malware in two weeks, the researchers claim, based on a statistics page they found on the host website for the malware.

Terefos thinks some of the group's campaigns may even have targeted infosec researchers, or rival malware gangs, as the phishing link led to a cracked version of the known infostealer RisePro that had been modified to spread malware.

Whatever the target, the effort has proven lucrative: Terefos thinks this malware business has made about $100,000 over the last year.

But that's just for GitHub – the researchers suspect the group might be operating on other websites as well. This is potentially indicated by a GitHub repository that linked to a YouTube tutorial on how to install a program that's actually malware. The study also suggests that the Atlantida campaign targeted users interested in social media in order to acquire accounts on other platforms, which can be used to spread malware just like GitHub.

In a statement to The Register, a GitHub spokesperson said the platform "… is committed to investigating reported security issues. We disabled user accounts in accordance with GitHub's Acceptable Use Policies, which prohibit posting content that directly supports unlawful active attack or malware campaigns that are causing technical harm." ®