Researchers discover “highly sophisticated’ operation using a 3,000-strong network of ghost accounts to spread malware on GitHub

A threat collective known as Stargazer Goblin is covertly distributing malware and phishing links via a ‘highly sophisticated’ network of ghost accounts on GitHub, new research reveals.

These ghost accounts, dubbed the Stargazers Ghost Network, pretend to host code for free software online, such as virtual private networks (VPNs) or video editing tools, predominantly targeting Windows users, according to a report from Check Point Research.

Antonis Terefos, a security researcher at Check Point, described the network as a distribution as a service (DaaS) operation, allowing hackers to share malicious links and malware to be distributed via “highly victim oriented phishing repositories”.

Terefos warned that their latest calculations suggest there are over 3,000 active Ghost accounts in the network distributing a variety of malware families including Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and Redline.

These ghost accounts are used to lend credibility to other malicious accounts and repositories by starring, following, forking, and watching the pages, making them appear more trustworthy.

Check Point said it discovered an advertiser listing its services on the dark web on 8 July 2023, as well as performing any other requested actions on GitHub. Starring a repository with 100 accounts, for example, would set you back $10 (£7.76).

Using this information and the number of repositories and actions that occurred between May and June 2024, Check Point calculated Stargazer Goblin made $8,000 (£6,209), which it suggested is only a fraction of the actual profit the group made.

“Considering that Stargazers Ghost Network has operated publicly since July 2023 and likely on a smaller scale since August 2022, we estimate the total profit to be approximately $100,000 [(£77,600)] for the entire lifespan of Stargazers Ghost Network.”

Stargazer Goblin able to manipulate GitHub in novel ways

Hackers abusing code-hosting platforms is not a new phenomenon, with examples of cyber criminals disguising malicious code using the names of popular GitHub repositories earlier in 2024.

Researchers from Checkmarx found threat actors were using GitHub’s Action tool to frequently update their malicious repositories, making very minor changes, to boost its visibility, as well as creating fake accounts to promote them, much like Stargazer Goblin.

A report issued by Lasso Security in April 2024 detailed how hackers were using frequently hallucinated package recommendations from chatbots like ChatGPT to disguise their payloads, hoping to catch out developers using LLMs to assist with their coding.

When testing the method using an empty package with a fake name resembling a Python package, one researcher found the fake package received over 30,000 authentic downloads in just three months.

Take control of your data security

Terefos noted hackers have been using GitHub as a platform to distribute malicious content for a while, but the Stargazer Ghost Network exhibits a new level of sophistication.

“The Stargazers Ghost Network changes the game by providing a malicious repository where a malicious link is ‘starred’ and ‘verified’ by multiple GitHub accounts, thereby supporting its legitimacy.”

Terefos said he had never seen a ghost network operating in this manner on GitHub before, noting the operation’s ability to recover from takedown attempts.

“Utilizing multiple accounts and profiles performing different activities from starring to hosting the repository, committing the phishing template, and hosting malicious releases, enables the Stargazers Ghost Network to minimize their losses when GitHub performs any actions to disturb their operations as usually only one part of the whole operation is disrupted instead of all the involved accounts.”

He added it is more than likely there are other ghost accounts operating on other platforms including Twitter, YouTube, Discord, and Instagram, as part of a larger DaaS operation, suggesting future accounts could use AI to generate more targeted and diverse content.