A threat actor known as 'Stargazer Goblin' have orchestrated a sophisticated malware distribution-as-a-service (DaaS) operation using over 3,000 fake GitHub accounts. The campaign, discovered by Check Point Research, employs GitHub repositories and compromised WordPress sites to distribute password-protected archives laden with information-stealing malware.

Dubbed the Stargazers Ghost Network, the operation leverages various malware variants such as RedLine, Lumma Stealer, Rhadamanthys, RisePro, and Atlantida Stealer.

The operation is believed to have started in August 2022, with core GitHub Ghost accounts suggesting initial development or testing. An advertisement for the service appeared on dark web forums on July 8, 2023, posted by an account created just a day earlier. Monitoring campaigns between mid-May and mid-June 2024 revealed that Stargazer Goblin earned approximately $8,000. However, this is likely a fraction of their total earnings, estimated to be around $100,000 over the operation's lifespan.

The Stargazers Ghost Network is part of a broader ecosystem of Ghost accounts operating across multiple platforms, constructing a larger DaaS universe. The research team identified over 2,200 malicious repositories associated with Ghost activities during the investigation. A campaign in January 2024 saw the distribution of Atlantida Stealer, a new malware family that steals user credentials, cryptocurrency wallets, and other personally identifiable information (PII). In just four days, this campaign infected over 1,300 victims.

Malicious links to the GitHub repositories were likely distributed via Discord channels, targeting victims looking to boost their followers on YouTube, Twitch, and Instagram, or seeking cracked software and crypto-related activities.

The Stargazers Ghost Network enhances its perceived legitimacy by “starring” and “verifying” malicious links through multiple GitHub accounts.

The network frequently repurposes identical tags and images, shifting the target audience from one platform or software to another, suggesting automated operations for efficiency and scalability.

Each Ghost-Stargazer within the network engages with multiple repositories, with a significant portion clearly involved in malicious activities.

“The network’s maintenance and recovery process appears to be automatic, detecting banned accounts/repositories and fixing them when necessary. Using different account roles ensures there is only minimal damage when and if GitHub takes action against accounts or repositories that violated its rules,” the researchers said.