Massive GitHub Breach: Over 3,000 Accounts Hijacked for Malware Distribution. Here is a quick look.

In a significant cybersecurity breach, over 3,000 GitHub accounts have been exploited by a malware distribution service. This operation, identified as the Stargazers Ghost Network, is managed by a threat actor known as Stargazer Goblin. The network uses these accounts to spread various types of information-stealing malware.

The Operation’s Structure

The Stargazers Ghost Network operates using a Distribution-as-a-Service (DaaS) model. This structure allows the network to create deceptive GitHub accounts that deploy different malware types. The network’s activities are divided among several groups of fake accounts, each with specific responsibilities. Some accounts handle phishing templates, others manage phishing images, and a third group releases malware. This organizational strategy ensures the network’s resilience, even if some accounts are deactivated.

Types of Malware Distributed

The malware types distributed by this network include RedLine, Lumma Stealer, Rhadamanthys, RisePro, and Atlantida Stealer. These malware types are designed to steal information from infected systems. The network has been active since August 2022 and began promoting its services on underground forums in June 2023.

Financial Impact and Countermeasures

The Stargazers Ghost Network has generated over $100,000 through its activities. GitHub has been actively working to dismantle this network, leading to the removal of more than 1,500 dubious repositories since May 2024. However, over 200 malicious repositories remain active. Users are advised to be cautious, especially when handling password-protected archives from GitHub, as these can bypass antivirus scans. Best practices include testing files in a virtual machine and using antivirus software or services like Virus Total for thorough scans.

Specific Attacks and Target Audience

In January 2024, the network distributed Atlantida Stealer, affecting over 1,300 victims in just four days. The malware was spread through potentially Discord-shared links aimed at users interested in growing their social media or streaming platform followers. Phishing templates used by the network often direct victims to malicious GitHub repository release sections via download links. The use of password-protected archives helps in bypassing typical scanning methods.

Network Structure and Durability

The network’s structure is defined by three distinct types of false accounts: phishing repository templates, phishing images, and malware provision in password-protected formats. This structure ensures the network’s durability, allowing it to continue its activities even if some accounts are shut down. When a malware-serving account is deactivated, another phishing repository quickly replaces it with a fresh link to an active malicious release.

Conclusion

The exploitation of over 3,000 GitHub accounts by the Stargazers Ghost Network highlights the growing sophistication of cyber threats. It underscores the importance of vigilance and robust cybersecurity measures to protect against such malicious activities. Users must remain cautious and adopt best practices to safeguard their systems from these evolving threats.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.