A recent discovery by Check Point Research (CPR) has shed light on a new method employed by a threat actor known as “Stargazer Goblin” to distribute malware and malicious links using GitHub. Unlike traditional tactics of hosting malware on GitHub and enticing users to download infected code packages through phishing emails, Stargazer Goblin’s approach involves deploying a large network of inauthentic accounts to promote malicious repositories as legitimate.
According to CPR researchers, the Stargazer Goblin group operates a malware distribution-as-a-service (DaaS) network called the Stargazers Ghost Network, comprising more than 3,000 active GitHub accounts. Interestingly, only a small proportion of these accounts actually distribute malware, while the rest are utilized to make the rogue repositories seem authentic. The group employs various tactics, such as “starring,” forking, and subscribing to malicious repos using the inauthentic accounts to create an illusion of credibility.
Starring, forking, and watching repositories on GitHub are actions that users typically undertake to express appreciation for a project, propose modifications, or stay updated on its developments. The more stars, forks, and watchers a repository has, the more trustworthy it appears to users. Stargazer Goblin leverages this perception to make their malicious repositories appear legitimate to unsuspecting victims.
Antonis Terefos, a researcher at CPR, emphasized the evolution of malware distribution on GitHub through the Stargazers Ghost Network. Instead of explicit indications of malicious content, the group relies on organic actions by accounts, such as starring and forking repositories, to deceive users into trusting and downloading malware-infested files.
Since at least August 2022, Stargazer Goblin has been distributing various malware families, including Atlantida Stealer, Rhadamanthys infostealer, RisePro, Redline, and Lumma Stealer, using its rogue GitHub accounts. The group even offers services within the Stargazers Ghost Network, charging fees to “star” repositories with multiple accounts or providing aged repositories to enhance trustworthiness.
CPR’s investigation suggests that Stargazer Goblin’s operation extends beyond GitHub, encompassing platforms like Twitter, YouTube, Discord, Instagram, and Facebook. By utilizing these platforms, the threat actor aims to legitimize malicious activities and distribute links and malware through a variety of content, including posts, repositories, videos, tweets, and channels.
Terefos highlighted the Stargazers Ghost Network’s use of search optimization techniques to elevate the visibility of their repositories on GitHub. Additionally, the threat group has utilized platforms like Discord to promote malicious repositories as sources for game mods, cracked software, trading tools, and other deceptive offerings.
In light of recent cybersecurity events, such as the CrowdStrike incident, Terefos warned of the potential risk posed by users stumbling upon malicious repositories while seeking solutions. By leveraging the credibility established through fake endorsements on GitHub, threat actors like Stargazer Goblin can infect unsuspecting users with malware under the guise of providing legitimate fixes or solutions.
The evolving tactics of threat actors like Stargazer Goblin highlight the need for heightened vigilance and cybersecurity awareness among users navigating online platforms. As malicious actors continue to exploit social engineering techniques and bogus endorsements to distribute malware, it is crucial for individuals and organizations to exercise caution and implement robust security measures to mitigate the risks associated with such threats.