July 29, 2024 at 03:42AM
Stargazer Goblin operates a network of inauthentic GitHub accounts, distributing malware and earning $100,000 in illicit profits. The “Ghost” accounts engage in various activities to appear legitimate, making them resistant to takedowns. The scheme propagates malware families such as Atlantida Stealer and involves social engineering attacks, targeting GitHub repositories and developers.
From the meeting notes provided, it has been revealed that a threat actor known as Stargazer Goblin has established a network of fake GitHub accounts to support a Distribution-as-a-Service (DaaS) aimed at spreading various types of data-stealing malware, resulting in approximately $100,000 in illegal profits over the past year. The network encompasses more than 3,000 accounts on the cloud-based code hosting platform, distributing multiple types of malware such as Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine, while also engaging in activities to give a façade of legitimacy to the repositories. This network has been active since at least August 2022, and efforts have been made to make its infrastructure resilient to takedown measures by GitHub.
It is worth noting that the network isn’t solely limited to GitHub, as it also operates ghost accounts on other platforms such as Discord, Facebook, Instagram, and YouTube. Additionally, the meeting notes highlighted a recent extortion operation targeting GitHub repositories, where threat actors wipe the repository contents and demand payment for restoration, as well as an advisory from Truffle Security regarding a potential Cross Fork Object Reference (CFOR) vulnerability.
This comprehensive set of meeting notes provides a detailed understanding of the sophisticated malware distribution operation orchestrated by Stargazer Goblin and highlights the evolving threats and vulnerabilities associated with GitHub repositories.