July 24, 2024 at 04:38PM
A threat actor named “Stargazer Goblin” is using a new tactic to distribute malware by leveraging GitHub. They use a large network of inauthentic accounts to make malicious repositories appear legitimate. The operation involves starring, forking, and subscribing to the repositories to make them seem credible. The group also distributes malware via multiple platforms beyond GitHub, charging for services like promoting repositories. This tactic aims to deceive users into downloading and executing infected code packages.
From the meeting notes, the key takeaways are:
1. The threat actor “Stargazer Goblin” has developed a new tactic to distribute malware and malicious links through GitHub. Instead of hosting malware directly, they are using socially engineered influence operations involving thousands of inauthentic accounts to make malicious repositories appear legitimate to unsuspecting users.
2. The operation includes a malware distribution-as-a-service (DaaS) network called Stargazers Ghost Network, which consists of more than 3,000 active GitHub accounts. A small number of these accounts are used to distribute the malware, while the rest are inauthentic accounts that act to legitimize the rogue repositories.
3. Stargazer Goblin has been distributing various malware families since at least August 2022, and may also extend its operations to other platforms such as Twitter, YouTube, Discord, Instagram, and Facebook.
4. The threat group uses tactics to promote the malicious repositories, such as using tags to ensure their visibility in GitHub searches and promoting them through services like Discord for game mods, cracked software, trading tools, and more.
5. This tactic presents a significant risk to users who may unknowingly come across these malicious repositories, potentially resulting in malware infections.
These takeaways provide a clear summary of the discussion regarding the Stargazer Goblin threat and its new tactics for distributing malware and malicious links.