A threat actor known as Stargazer Goblin has established a network of fake GitHub accounts to run a Distribution-as-a-Service (DaaS) operation, spreading various information-stealing malware and earning $100,000 in illicit profits over the past year.
This network, dubbed “Stargazers Ghost Network”, comprises over 3,000 accounts on GitHub. These accounts manage thousands of repositories used to share malicious links or malware.
Among the malware families propagated through this method are Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine. The fake accounts also engage in activities like starring, forking, watching, and subscribing to malicious repositories to make them appear legitimate.
The network has likely been active since August 2022, with an advertisement for the DaaS surfacing on the dark web in early July 2023.
“Threat actors now operate a network of ‘Ghost’ accounts that distribute malware via malicious links on their repositories and encrypted archives as releases,” explained security researcher in a recent analysis.
These “Ghost” accounts not only distribute malware but also engage in various activities to appear as normal users, lending fake legitimacy to their actions and the associated repositories.
Different categories of GitHub accounts handle distinct aspects of the scheme, making the infrastructure more resilient to takedown efforts by GitHub when malicious payloads are flagged.
These categories include accounts that serve the phishing repository template, accounts providing images for the phishing template, and accounts pushing malware to the repositories as password-protected archives masquerading as cracked software and game cheats.
If the third set of accounts is detected and banned by GitHub, Stargazer Goblin updates the first account’s phishing repository with a new link to an active malicious release, allowing the operation to continue with minimal disruption.
Besides liking new releases from multiple repositories and committing changes to the README.md files to modify download links, some accounts in the network have been previously compromised, with credentials likely obtained via stealer malware.
One campaign involves a malicious link to a GitHub repository that points to a PHP script hosted on a WordPress site, which then delivers an HTML Application (HTA) file to execute Atlantida Stealer via a PowerShell script.
Other malware families propagated via the DaaS include Lumma Stealer, RedLine Stealer, Rhadamanthys, and RisePro. Researcher noted that the GitHub accounts are part of a larger DaaS solution that operates similar “Ghost” accounts on platforms like Discord, Facebook, Instagram, X, and YouTube.
“Stargazer Goblin created an extremely sophisticated malware distribution operation that avoids detection as GitHub is considered a legitimate website. This operation bypasses suspicions of malicious activities and minimizes and recovers any damage when GitHub disrupts their network,” Researcher said.
The development comes as unknown threat actors target GitHub repositories, wiping their contents, and asking victims to reach out to a user named Gitloker on Telegram as part of a new extortion operation that has been ongoing since February 2024.
This social engineering attack targets developers with phishing emails sent from “notifications@github.com,” tricking them into clicking bogus links under the guise of a job opportunity at GitHub. The victims are then prompted to authorize a new OAuth app that erases all the repositories and demands payment to restore access.
In other words, code committed to a public repository may be accessible forever as long as at least one fork of that repository exists. This could also be used to access code committed between the time an internal fork is created and the repository is made public.
These are intentional design decisions by GitHub, as noted in the company’s documentation:
– Commits to any repository in a fork network can be accessed from any repository in the same fork network, including the upstream repository.
– When a private repository is changed to public, all commits in that repository, including any commits made in the repositories it was forked into, will be visible to everyone.
To protect against malware distributed through fake GitHub accounts, ensure you only download software from trusted and verified sources. Regularly review permissions for third-party apps connected to your GitHub account. Keep your software and security tools updated, and be cautious of unexpected communications or changes in repositories you follow.