Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,312
- Points
- 113
Check Point uncovered a network of 3,000 fake GitHub accounts that actively spread malware and phishing links. The activity started at least in May of last year.
The most active cybercriminal, dubbed Stargazer Goblin, uses the platform to host malicious repositories. The highlight of the campaign is the ability to make malicious repositories look like legitimate ones through actions such as adding asterisks (similar to likes), forks (similar to retweets), and subscriptions. Trading of repositories and "stars" is coordinated through channels in Telegram and on the darknet.
The Stargazers Ghost Network distributes malicious repositories that offer tools for social networks, games, and cryptocurrencies. The repositories allegedly provide a VPN access code or Adobe Photoshop licenses, and are mainly targeted at Windows users. The goal of attackers is to attack victims who are looking for free software.
The network operator sells its services to other hackers, calling it Distribution-as-a-Service (DaaS). The network distributes various types of malware, including cryptographers and infostilers – Atlantis Stealer, Rhadamanthys and Lumma Stealer.
Check Point suggests that the network may be larger than it seems, since the campaign involves legitimate GitHub accounts that were hacked using stolen credentials. It is estimated that the total amount of" earnings " of the criminal during the existence of the operation is estimated at about $100,000.
According to experts, the activity of the network – "asterisks" and "page views" – is probably automated, since repositories are processed in quick succession and created according to a single template. It is difficult to detect such activity, since the behavior of accounts mimics the actions of ordinary GitHub users.
Stargazer Goblin created a complex malware distribution operation, avoiding detection due to the high level of trust in GitHub. This allows you to bypass suspicions and quickly restore your actions when GitHub breaks the network. Using multiple accounts and profiles for different tasks (installing stars, hosting repositories, committing phishing templates, hosting malicious releases), the Stargazers Ghost Network minimizes losses during GitHub actions, since usually only one part of the operation is violated, and not all accounts.
• Source: https://research.checkpoint.com/2024/stargazers-ghost-network/
The most active cybercriminal, dubbed Stargazer Goblin, uses the platform to host malicious repositories. The highlight of the campaign is the ability to make malicious repositories look like legitimate ones through actions such as adding asterisks (similar to likes), forks (similar to retweets), and subscriptions. Trading of repositories and "stars" is coordinated through channels in Telegram and on the darknet.
The Stargazers Ghost Network distributes malicious repositories that offer tools for social networks, games, and cryptocurrencies. The repositories allegedly provide a VPN access code or Adobe Photoshop licenses, and are mainly targeted at Windows users. The goal of attackers is to attack victims who are looking for free software.
The network operator sells its services to other hackers, calling it Distribution-as-a-Service (DaaS). The network distributes various types of malware, including cryptographers and infostilers – Atlantis Stealer, Rhadamanthys and Lumma Stealer.
Check Point suggests that the network may be larger than it seems, since the campaign involves legitimate GitHub accounts that were hacked using stolen credentials. It is estimated that the total amount of" earnings " of the criminal during the existence of the operation is estimated at about $100,000.
According to experts, the activity of the network – "asterisks" and "page views" – is probably automated, since repositories are processed in quick succession and created according to a single template. It is difficult to detect such activity, since the behavior of accounts mimics the actions of ordinary GitHub users.
Stargazer Goblin created a complex malware distribution operation, avoiding detection due to the high level of trust in GitHub. This allows you to bypass suspicions and quickly restore your actions when GitHub breaks the network. Using multiple accounts and profiles for different tasks (installing stars, hosting repositories, committing phishing templates, hosting malicious releases), the Stargazers Ghost Network minimizes losses during GitHub actions, since usually only one part of the operation is violated, and not all accounts.
• Source: https://research.checkpoint.com/2024/stargazers-ghost-network/
