Security News > 2024 > July > 'Stargazer Goblin' Creates 3,000 Fake GitHub Accounts for Malware Spread

"This network not only distributes malware but also provides various other activities that make these 'Ghost' accounts appear as normal users, lending fake legitimacy to their actions and the associated repositories."

These include accounts that serve the phishing repository template, accounts providing the image for the phishing template, and accounts that push malware to the repositories in the form of a password-protected archive masquerading as cracked software and game cheats.

Should the third set of accounts be detected and banned by GitHub, Stargazer Goblin moves to update the first account's phishing repository with a new link to a new active malicious release, thereby allowing the operators to move forward with minimal disruption.

Besides liking new releases from multiple repositories and committing changes to the README.md files to modify the download links, there is evidence to suggest that some accounts part of the network have been previously compromised, with the credentials likely obtained via stealer malware.

"Most of the time, we observe that Repository and Stargazer accounts remain unaffected by bans and repository takedowns, whereas Commit and Release accounts are typically banned once their malicious repositories are detected," Terefos said.

"Utilizing multiple accounts and profiles performing different activities from starring to hosting the repository, committing the phishing template, and hosting malicious releases, enables the Stargazers Ghost Network to minimize their losses when GitHub performs any actions to disturb their operations as usually only one part of the whole operation is disrupted instead of all the involved accounts."

News URL

https://thehackernews.com/2024/07/stargazer-goblin-creates-3000-fake.html