Microsoft-owned GitHub is haunted by ghost accounts spreading malware

Check Point Research has uncovered a network of GitHub accounts, dubbed the "Stargazers Ghost Network," that distributes malware via phishing repositories. This sophisticated operation, tracked under the name "Stargazer Goblin," acts as a Distribution as a Service (DaaS) model, allowing threat actors to share malicious links and software.

The network consists of over 3,000 active accounts that perform activities such as starring, forking, and subscribing to malicious repositories to make them appear legitimate. This tactic helps lure victims into downloading malware. The types of malware distributed include Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine.

The operation appears to have begun on a smaller scale in August 2022, with public advertisements for the service emerging in July 2023. From mid-May to mid-June 2024 alone, Check Point Research estimates the network earned approximately $8,000, with total profits since its inception likely reaching around $100,000.

The Microsoft owned GitHub has been a platform for distributing malicious code for some time, but the Stargazers Ghost Network represents an evolution in these tactics, Check Point says. The network creates an illusion of legitimacy through the high number of "stars" and interactions with repositories. These repositories often contain phishing templates with malicious download links that redirect to encrypted archives, evading detection.

In one specific campaign, the network distributed Atlantida stealer, infecting over 1,300 victims in less than four days. The malicious links were likely shared through platforms like Discord, targeting users interested in increasing their followers on social media.

“It’s alarming to see how a large source code platform like GitHub, with more than 14 million visitors per day, is being utilized for malware distribution, especially by a well-organized one like Stargazers Ghost Network,” said Alexander Chailytko, Cyber Security, Research & Innovation Manager, Check Point Research. “Considering precise targeting, this threat could affect a vast number of victims worldwide, with more impactful consequences in addition to possible ransomware infections, stolen credentials, and compromised cryptocurrency wallets. This is because we were also able to identify a similar looking campaign operating on YouTube video hosting, which makes us believe there is a switch in malware Distribution as a Service approach, leveraging more popular platforms to propagate infections to as many users as possible in a more covert way, with this GitHub account network being part of a wider scheme of malicious distribution.”