A secretive phishing network on GitHub is distributing malware


Researchers from Check Point have unveiled a “never seen before” sophisticated malicious operation on GitHub. A phishing ring, dubbed Stargazers Ghost Network, is spreading malware and targeting gamers, social media enthusiasts, and crypto holders via malicious repositories.

Microsoft-owned GitHub is the largest open-source host for 100 million developers and more than 420 million repositories and a crucial collaboration tool for software developers.

Phishers try to exploit that by creating fake accounts and repositories to distribute malware and malicious links.

ADVERTISEMENT

“This type of operation, where fake accounts are instrumented to organically perform phishing attacks to distribute malware, has never been seen before,” Check Point Researchers said in the report.

The network operator was identified as “Stargazer Goblin.” This threat actor was discovered through ads on the dark web in June 2023, providing pricelists for each action.

“The sophistication of this network lies in its ability to make malicious repositories appear legitimate through actions like starring (“liking”), forking (“retweeting”), and subscribing,” Check Point said.

Fake accounts may own repositories that include malicious links, boost them with other fake accounts, and release malicious repositories.

The network focuses on specific victims, targeting users using phishing templates and tags.

Targeted interests vary and include social media, gaming, cryptocurrency, and many others.

Researchers warn that a threat actor is capable of making a significant impact on users by spreading ransomware infections, stealing credentials, or compromising crypto wallets.

“Those GitHub repositories currently target mainly Windows users, though similar malware distribution methods can be used to target Linux or Android users, all of whom also have large user databases, marking a greater impact on the community,” researchers said.

ADVERTISEMENT

Based on monitored activity from mid-May to mid-June, in less than a month, Stargazer Goblin earned approximately $8,000.

Since August 2022, when the network started its activities, the earnings from more than 3,000 GitHub ghost accounts could be more than $100,000, researchers estimate.

The network operates a Distribution as a Service (DaaS), distributing various types of malware, including Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine.

“We consider it highly probable that GitHub Ghost accounts are just the tip of the iceberg and only one part of the grand picture, with other Ghost accounts operating on other Platforms like Twitter, YouTube, Discord, Twitch, Instagram, and others,” Check Point researchers said. They identified a similar YouTube Ghost account that was distributing malicious links.

Previously, Cybernews found that one-fifth of repositories on Docker Hub contained malicious content.

Users on all platforms should be wary of any links containing executables, as even reputable repositories can be compromised and distribute malware.