Inside the Operations of Stargazer Goblin: Unveiling the Malicious Repositories

Chinese espionage groups

Check Point has uncovered a network of 3,000 fake accounts on GitHub, actively disseminating malicious programs and phishing links. The activities began at least as early as May of the previous year.

The most prolific cybercriminal, dubbed Stargazer Goblin, utilizes the platform to host malicious repositories. The campaign’s hallmark is its ability to make these repositories appear legitimate by adding stars (akin to likes), forks (similar to retweets), and subscriptions. The trade of repositories and “stars” is coordinated through Telegram channels and the dark web.

Stargazer Goblin

Stargazer Ghost account.

The Stargazers Ghost Network spreads malicious repositories that offer tools for social media, gaming, and cryptocurrency. These repositories purportedly provide VPN access codes or Adobe Photoshop licenses, primarily targeting Windows users. The perpetrators aim to attack victims searching for free software.

The network operator sells their services to other hackers, branding it as Distribution-as-a-Service (DaaS). The network distributes various types of malware, including ransomware and infostealers such as Atlantida Stealer, Rhadamanthys, and Lumma Stealer.

Check Point suspects the network is more extensive than it appears, as legitimate GitHub accounts compromised with stolen credentials participate in the campaign. The total earnings of the criminal from this operation are estimated to be around $100,000.

TikTok, YouTube, Twitch, Instagram, … with the same phishing template

According to experts, the network’s activities—stars and page views—are likely automated, given the rapid processing of repositories created from a single template. Detecting such activity is challenging, as the accounts’ behavior mimics that of ordinary GitHub users.

Stargazer Goblin has orchestrated a sophisticated operation to spread malware, evading detection due to GitHub’s high trust level. This enables the avoidance of suspicion and quick recovery when GitHub disrupts the network. By using multiple accounts and profiles for different tasks (starring, hosting repositories, committing phishing templates, hosting malicious releases), the Stargazers Ghost Network minimizes losses when GitHub takes action, as usually only a part of the operation is disrupted, not all accounts.

Related Posts: