A Hacker Ghost Network Is Quietly Spreading Malware on GitHub

Unveiling the Hidden Threat: How a Secret Network on GitHub is Spreading Malware

In the ever-evolving world of cybersecurity, threats continue to surface in unexpected places. A recent discovery by Check Point, a cybersecurity firm, has revealed a secret network of around 3,000 "ghost" accounts on GitHub, silently working to promote malware and phishing links. This network, associated with a cybercriminal dubbed “Stargazer Goblin,” has been operating since at least June of last year, exploiting the platform’s features to distribute malicious content.

The Operation: How "Stargazer Goblin" Manipulates GitHub

GitHub, the largest open-source code repository globally, is a vital resource for developers. However, it can also be a target for malicious activities. The cybercriminal behind Stargazer Goblin has been hosting malicious code repositories on GitHub and using the platform's community tools to make these repositories appear legitimate. By "starring," "forking," and "watching" these repositories—actions akin to liking, sharing, and subscribing on social media—these ghost accounts create a facade of popularity and trustworthiness. This deceptive tactic lures unsuspecting users into downloading malware, believing it to be safe and useful software.

The Scope of the Threat: Targeting Unsuspecting Users

The malicious repositories often pose as downloads for popular tools and software, such as VPN services or licensed versions of Adobe Photoshop. They mainly target Windows users, who may be searching for free versions of these applications. Once downloaded, these tools can install various types of malware, including ransomware and info-stealers like the Atlantida Stealer, Rhadamanthys, and Lumma Stealer. Check Point’s Antonis Terefos uncovered this network while investigating the Atlantida Stealer and noted that the scope of the operation could be even larger, as legitimate GitHub accounts are also being hijacked and repurposed for malicious activities.

The Underground Economy: "Distribution as a Service"

Stargazer Goblin is not only spreading malware directly but also offers a "distribution as a service" model. This involves charging other hackers for boosting the visibility of their malicious repositories. The services are marketed through cybercrime forums and Telegram channels, where prices are listed for activities like providing stars to make repositories look more popular. It’s estimated that the operator of this network could have made around $100,000, with significant earnings reported in recent months.