'Stargazer Goblin' Amasses Rogue GitHub Accounts to Spread Malware

A threat actor known as "Stargazer Goblin" has found a new way to leverage GitHub to distribute malware and malicious links to unsuspecting users.

Instead of hosting malware on GitHub and then luring users to inadvertently download an infected code package (by getting them to click on a malicious link in a phishing email, for instance), the new tactic involves convincing victims that malicious repositories are legitimate via a socially engineered influence operation involving thousands of inauthentic accounts.

Researchers from Check Point Research (CPR) who uncovered the operation noted in a report this week that the adversary's end game is running a malware distribution-as-a-service (DaaS) network dubbed Stargazers Ghost Network, currently comprised of more than 3,000 active GitHub accounts.

A Large Network of Rogue Accounts

The threat group is using a relatively small number of these accounts to actually distribute the malware and malicious links, and the remaining ones are the inauthentic accounts that are being used to make the rogue repositories appear legitimate. Their tactics for doing so have included using the inauthentic accounts to star, fork, and subscribe to the malicious repos, in order to give them a veneer of innocence.

Starring, which gives the group its name, is a way to bookmark repositories on GitHub to make them easier to find in the future, and also as a way to show appreciation for a particular project. Forking is about creating an identical copy of another GitHub project as a way to propose changes to the project or to build on it for your own purposes; and watching is basically a way of keeping abreast of the latest developments in a project. Just as with applications on mobile app stores, users tend to perceive GitHub projects with more stars, forks, and watchers as being more credible — and trustworthy — than others.

"In the past, malware was hosted on GitHub, though the repositories that hosted malware never suggested that a normal user would land, trust, download, and execute the hosted sample," says Antonis Terefos, a researcher at CPR. "Currently, via the Stargazers Ghost Network, we are experiencing a new era of malware distribution utilizing accounts to act organically by starring [and] forking malicious repositories [to make them appear] as legitimate to normal users."

Stargazer Goblin's Distribution-as-a-Service Play

Since at least August 2022, and likely even earlier, Stargazer Goblin has used its rogue GitHub accounts to distribute a variety of malware families, including Atlantida Stealer, Rhadamanthys infostealer, RisePro, Redline, and Lumma Stealer. A Stargazers Ghost Network advertisement from July 2023 — in English and Russian — that CPR researchers found on a Dark Web forum showed the threat actor charging $10 to "star" a repository with 100 accounts, and $2 to provide an account with an empty "aged" repository, which generally is more trusted than a brand-new one.

CPR also said that the operation likely extends well beyond GitHub.

"We believe that Stargazer Goblin created a universe of Ghost Network accounts operating across various platforms such as GitHub, Twitter, YouTube, Discord, Instagram, Facebook, and many others," CPR said in its report. "Similar to GitHub, other platforms can be utilized to legitimize malicious phishing and distribute links and malware to victims through posts, repositories, videos, tweets, and channels, depending on the features each platform offers."

Terefos says the majority of repositories on the Stargazers Ghost Network use tags that ensure they surface at the top of GitHub searches when users are looking for something. The threat group has also used services, such as Discord, to promote the malicious repositories as places where users can get game mods, cracked software such as Adobe and VPN software, and free trading, AI, and coin-mining tools.

"Since last week's CrowdStrike event, which threat actors have been trying to take advantage of, we have been monitoring for CrowdStrike 'drive-fixes' repositories, on the Ghost Network. So far, there have been none," Terefos says. "[But] this could be an example of how a user could land on a malicious repository by searching on GitHub for how to perform the [CrowdStrike] fix. The user would see that the repository has been starred by multiple other accounts, indicating that the provided 'fix/repo' works. Instead, the user is being infected with malware."