GitHub and similar open-source code and project repositories have become a common target of cybercriminals looking to lure developers into unknowingly downloading malicious scripts.

However, a threat group known as Stargazer Goblin is using a novel method for distributing malware and malicious links through the Microsoft-owned GitHub platform that has included creating a network of more than 3,000 fake accounts that include phishing repositories, according to threat researchers with cybersecurity firm Check Point Research.

Step 1 of 7

14%

Which of the following best describes how you currently monitor and manage systems across your hybrid cloud environment?(Required)

Multiple separate tools for different environments

Multiple separate tools for different monitoring and management functions

Single consolidated dashboard

Custom built monitoring and management solution

No full monitoring and management solution

Don’t know

How valuable would it be for your monitoring and management solution to incorporate predictive analytics to help you identify and address system issues that are critical and not waste time or effort working through all the data and “noise” that is not critical?(Required)

Extremely valuable

Moderately valuable

Somewhat valuable

Slightly valuable

Not valuable

How do you most typically address potential system issues BEFORE they impact your operations?(Required)

Automated workflows and playbooks to remediate potential issues as soon as they are detected

An orchestrated response process that leverages automation, AI, and human expertise to rapidly respond to potential issues

Advanced monitoring tools such as predictive analytics and anomaly detection to proactively identify and address potential issues

Respond to issues as they arise, using manual processes and troubleshooting techniques

A combination of automated remediation, orchestrated response, and/or proactive monitoring to address potential system issues

Don’t know

Other

What methods does your organization use to control and monitor cloud/IT spending?(Required)

Centralized procurement processes

Pre-approved budget thresholds

Automated cost monitoring tools

Department-level spending controls

Regular cost audits and reviews

Cloud cost optimization platform

Approval workflows for resource provisioning

Native financial operations tools provided by the cloud provider

No formal controls in place

Don’t know

Other

Please specify:

Which methods do you rely on most to detect security vulnerabilities in your systems?(Required)

Automated scanning tools

Manual assessments

Vendor notifications

Threat modeling (for early detection)

None of these

Don’t know

Other

Please specify:

What are the TWO most common ways you prioritize vulnerabilities to address within your environment?(Required)

Based on potential impact

Based on exploitability

Regulatory compliance requirements

Based on CVSS scores

Risk-based analysis of multiple factors

First-in-first-out approach

No formal prioritization process

Don’t know

How do you typically handle system updates and security patches?(Required)

Automated updates and patches

Manually review and apply updates and patches on a regular schedule

A combination of automation and manual review

Apply updates and patches on an as-needed basis.

Outsourced update and patch management

No defined process

Don’t know

Other

Δ

Some of those accounts are used to distribute the malware – which includes an array of threats, including Atlantida Stealer and other information stealers like Rhadamanthys and RedLine – and malicious scripts, while others are used to create an air of legitimacy around those fake accounts through such actions as starring (essentially “liking”), forking (creating a copy) and watching.

“The Stargazers Ghost Network changes the game by providing a malicious repository where a malicious link is ‘starred’ and ‘verified’ by multiple GitHub accounts, thereby supporting its legitimacy,” Check Point researcher Antonis Terefos wrote in a report, saying that such actions can help lure victims into downloading the content. “We are entering a new era of malware distribution, where ghost accounts organically promote and distribute malicious links across various platforms. Future ghost accounts powered by artificial intelligence could launch even more targeted campaigns, making it increasingly difficult to distinguish between legitimate content and malicious material.”

Bad Actors Turn to Code Repositories

GitHub, Python Package Index (PyPI), npm, and similar repositories are attractive to hackers who see them as a way of spreading their malware via software supply-chain attacks by implanting malware into legitimate software packages that are then used by developers and organizations.

In this case, the phishing templates and tags in the fake repositories are tailored to the interests of victims, including social media, gaming and cryptocurrency. That highly victim-oriented nature can add to the threats to targets including ransomware, stolen credentials and compromised crypto wallets.

The malicious GitHub repositories primarily target Windows users, though similar malware distribution methods can be used against Linux or Android users, which also have large user databases, according to Check Point.

Stargazer Goblin is running the Stargazers Ghost Network as a distribution-as-a-service (DaaS) that other bad actors can use to distribute their malware or malicious links via the phishing templates on GitHub. In addition, the researchers believe that what was found on GitHub is part of a larger operation that includes similar Ghost accounts on platforms like X (formerly Twitter), Instagram, YouTube, Twitch and Discord.

A Threat Two Years in the Making

The threat group has been running the network of bogus accounts since at least 2022 – and possibly earlier – with Check Point discovering an advertisement from July 2023 on the dark web that was written in both English and Russian and offered to pay others for particular services, such as $10 to start a repository with 100 accounts and $2 for providing an older “aged” repository, with discounts of purchases of more than $500.

The campaign has been effective, according to Terefos. A campaign that ran in January and distributed Atlantida Stealer racked up more than 1,300 victims in four days, with the malicious links possibly distributed through Discord channels. Atlantida steals user credentials, personally identifiable information, and crypto-wallets.

“The repositories targeted various types of victims who wanted to increase their followers on YouTube, Twitch and Instagram and also contained phishing templates for cracked software and other crypto-related activities,” he wrote.

Check Point estimates that Stargazer Goblin has earned more than $100,000 running the network, including $8,000 between mid-May and mid-June alone.

Separating the Jobs

The network also is set up to make it difficult to take the whole thing down. In some cases, the phishing template uses three Ghost accounts that have different responsibilities. One is the phishing repository template, another provides the image used for the template and the last serves malware as a password-protected archive.

“This structure and operational method enable Stargazer Goblin to quickly ‘fix’ any broken links that may occur due to accounts or repositories being banned for malicious activities,” Terefos wrote. “By distributing responsibilities across multiple accounts, the network ensures flexibility in replacing its compromised components. This minimizes disruption to their operations, allowing them to swiftly adapt and continue their malicious activities on GitHub.”

The way the network of malicious accounts is set up makes it difficult for most users to detect, though Check Point recommends keeping operating systems and applications updated, being cautious of unexpected emails or messages with links – particularly if they come from unknown senders – and improving the security awareness of workers.