Operating under the Distribution-as-a-Servicemodel, such hackers can infiltrate developers’ code to distribute phishing and malware elements surreptitiously

Corporations, government agencies and educational institutions are known to leverage the GitHub platform, now owned by Microsoft, to improve code developmemt.

Now, cybersecurity researchers have uncovered a network of “ghost accounts” operating on the platform to distribute malware and malicious links. According to Check Point Research (CPR), this type of operation, where fake accounts are instrumented to organically perform phishing attacks to distribute malware, has never been seen by its experts before. 

Due to an advertisement in the Dark Web in June 2023, the operator of this network of the first ghost accounts on GitHub appears to be an individual known as Stargazer Goblin, who was offering a price list of each malicious act that his group offers. Supported by other clues, CPR researchers believe that the possible start of the network could be some time in August 2022.

The ghost account network offers code repositories and phishing templates and tags that purchasers could use to target users with various interests in social media, gaming, cryptocurrency, and many others. Such types of operations can create a significant impact as they are heavily victim-oriented, making infections of such victims even more severe — with victims facing threats such as ransomware infections and stolen credentials and/or compromised cryptocurrency wallets. 

Modus operandi

The malicious repositories currently target mainly Windows users, although similar malware distribution methods can be used to target Linux or Android users — all of whom are developers and groups that can command large user databases, marking a greater impact on the community.

Based on monitored campaigns and accounts from mid-May to mid-June 2024, in less than a month, CPR researchers estimate that the Stargazer Goblin could have earned approximately US$8,000, and possibly more than US$100,000 since the start of operations with its 3,000 ghost accounts in 2022. Also:

  • The group operates a Distribution-as-a-Service (DaaS) network providing a platform for other potential threat actors to feed Stargazer Goblin their malicious links or malware to be distributed via malicious phishing templates on GitHub repositories. The network has been distributing all sorts of malware families, with notable mentions of Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine.
  • A YouTube account linked to the group has been found to have distributed malicious links via video, suggesting a “high probability” that the Stargazer group also operates ghost accounts on social media and other platforms. This suggests a much larger DaaS universe that could spread across multiple platforms, potentially infecting and impacting a significantly greater number of users within the wider digital community.

CPR advises readers/developers to be wary of links leading to GitHub and repositories that provide download links containing executables. Even reputable repositories could distribute malware if they have been tainted with malicious download links. Be highly suspicious any commits that only change or add links into a repository.