Stargazer Goblin’s $100K Scam: 3,000 Fake GitHub Accounts Exposed

• Stargazer Goblin has established a network of over 3,000 fake GitHub accounts to distribute various malware strains, earning approximately $100,000 over the past year.
  
• Check Point’s investigation uncovers this extensive operation, highlighting how these accounts maintain a facade of legitimacy through activities like starring and forking repositories.
  
  The Operation’s Scope
  

A Stargazer Ghost Network created by Stargazer Goblin composed of over 3,000 false GitHub accounts spread across thousands of repositories. Malware such as Atlantida Stealer, Rhadamanthys, and RedLine Stealer is distributed using these accounts. Operating since August 2022, the operation uses the Distribution-as-a-Service (DaaS) model, which capitalizes on its legitimacy through starring, forking, and subscribing to repositories, thereby making them more believable. This technique has resulted in tremendous illegal profits that have amounted to almost $100k over the last year.

Techniques and Tactics

These fake GitHub accounts are meticulously organized so that the network can stay operational even when some are taken down. They also include accounts dedicated to image hosting, phishing templates and malware distributed via password protected archives presented as cracked software. Any time GithHub identifies or blocks these malware plagued profiles; Stargazer Goblin always renews their deceptive links in new phishing sites with few nuisances. Sophisticatedly functioning as a two-way mechanism this arrangement does not only disseminate malware but rather they obscure it so that attempts at removal become less Effective.

Read More: Gh0st RAT Trojan Strikes Again: Fake Chrome Site Targets Chinese Users

Broader Implications and Countermeasures

The Stargazer Ghost Network is part of a broader DaaS infrastructure that also extends across alternative communication platforms like Discord, Facebook and Instagram among others. Additionally Check Point’s report identified an extortion campaign against GitHub users where attackers delete repositories before demanding ransom payments through Telegram applications. Moreover unauthorized access can be gained into sensitive data across forks and deleted repositories like Cross Fork Object Reference (CFOR). This underscores the need for strong cybersecurity measures by GitHub users who should therefore secure their accounts from such threats for user education on this issue is paramount.

Conclusion:

The exploitation of Github by StarGazer Goblin underpins how elaborate networks for dispersal of advanced malicious software are increasingly becoming serious security threat. They have built a very profitable enterprise that still eludes the authorities by running a network of fake profiles and using deceptive techniques. This instance is a timely reminder to developers and cybersecurity experts to remain vigilant, promote strong security practices as well as stay updated about emerging threats. By so doing we can be better protected from such sophisticated cyber-attacks and mitigate possible damages.