The Discovery

Cybersecurity researchers from Check Point have uncovered a sophisticated network of approximately 3,000 "ghost" accounts on GitHub. This network, dubbed the Stargazers Ghost Network, has been distributing malware and phishing links since at least June 2023.

How It Works

The network operates by creating fake accounts and repositories that appear legitimate. These accounts use GitHub's community tools, such as starring, forking, and subscribing, to boost the visibility and perceived legitimacy of malicious repositories³. The malware distributed includes various types such as Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine.

Targeted Victims

The primary targets of this network are gamers, social media enthusiasts, and cryptocurrency holders. The malicious repositories often disguise themselves as tools for social media, gaming, or cryptocurrency applications. The malware can lead to ransomware infections, credential theft, and compromised crypto wallets.

Financial Impact

The network operates on a Distribution as a Service (DaaS) model, charging other hackers to use its services. From mid-May to mid-June 2024 alone, the network reportedly earned around $8,000. Since its inception, the total earnings could exceed $100,000.

Broader Implications

This discovery highlights the growing sophistication of cybercriminal operations and the need for robust cybersecurity measures. The use of legitimate platforms like GitHub for malicious purposes poses a significant challenge for both users and platform administrators.