Stargazers: The Ghost Network

Check Point Research details Stargazers Ghost Network, a sophisticated GitHub-based Distribution as a Service (DaaS) run by Stargazer Goblin that uses Ghost accounts to host malicious links, phishing templates, and malware in repositories to appear legitimate. The operation has disseminated multiple malware families (Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, RedLine) across thousands of GitHub repos, with a resilient multi-account workflow designed to endure takedowns. #StargazersGhostNetwork #StargazerGoblin

Keypoints

The Stargazers Ghost Network distributes malware or malicious links via phishing repositories on GitHub, with accounts that star, fork, and watch to create legitimacy.
Check Point Research tracks the threat group as Stargazer Goblin, which operates and maintains the Stargazers Ghost Network and distributes malware through Ghost GitHub accounts.
The network includes Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine among the distributed malware families.
Evidence points to a large ecosystem of Ghost accounts (well over 3,000) and more than 2,200 malicious repositories, with development beginning circa August 2022 and public advertising in July 2023.
Campaigns Atlantida Stealer (Jan 2024) and Rhadamanthys (mid-2024) showed targeted, victim-oriented templates and password-protected releases delivered via GitHub releases and linked downloads.
The operation uses a multi-role approach (Repository, Commit, Release, Stargazer accounts) to maintain operations even when parts are detected or banned, creating a resilient DaaS ecosystem.
Estimated profits reach around $100,000 for the lifetime of Stargazers Ghost Network, with about $8,000 earned during mid-May to mid-June 2024, and broader expansion across platforms beyond GitHub.

MITRE Techniques

[T1566.001] Phishing: Spearphishing Link – Threat actors use GitHub repositories to host phishing links and malicious scripts. “The README.md phishing template contains a malicious DOWNLOAD link to an external website.”
[T1059.001] PowerShell – Malicious code is executed via PowerShell. “PowerShell code executing a .NET Injector.”
[T1059.005] VBScript – Obfuscated VBScript used to trigger PowerShell execution. “The VB script contains obfuscated code that executes PowerShell.”
[T1547.001] Boot or Logon Autostart – Malware maintains persistence via startup items and scheduled tasks. “persistence on infected systems through various methods, including scheduled tasks or startup items.”
[T1003.001] Credential Access – Atlantida Stealer harvests credentials and wallet data. “Atlantida stealer … steals user credentials and cryptocurrency wallets.”
[T1041] Exfiltration – Data exfiltration to C2 servers is performed over unencrypted channels. “exfiltrate stolen data” and “C2 servers to receive commands.”
[T1071.001] Command and Control – Malware communicates with C2 servers for commands and data exfiltration. “The malware communicates with C2 servers to receive commands and exfiltrate stolen data.”
[T1499] Data Destruction – The malware may delete or manipulate files to disrupt operations. “The malware may delete or manipulate files to disrupt victim operations or extort them for ransom.”

Indicators of Compromise

[File hash] Atlantida files – 2B6C8AA2AC917D978DFEC53CEF70EACA36764A93D01D93786CC0D84DA47CE8E6, 385EBE3D5BD22B6A5AE6314F33A7FA6AA24814005284C79EDAA5BDCF98E28492
[File hash] Atlantida loader/ injector artifacts – 2EBF051F6A61FA825C684F1D640BFB3BD79ADD0AFCFF698660F83F22E6544CBA, AB59A8412E4F8BF3A7E20CD656EDACF72E484246DFB6B7766D467C2A1E4CDAB0
[IP address] C2 and download servers – 185.172.128.95, 147.45.44.73, 89.23.98.116, 147.78.103.199
[IP/port] Rhadamanthys GO downloader C2s – 147.45.44.73:1488, 89.23.98.116:1444, 147.78.103.199:2529
[IP/port] Rhadamanthys C2 – 147.78.103.199:2529, 147.45.44.73:1488, 89.23.98.116:1444
[Domain/URL] Maestrascreciendoenamor.com/Loader-Installers.zip and other short links (goo.su, bit.ly) used to redirect victims
[URL] AstraHebz WordPress-hosted index.php and download.php chain for Atlantida Rhadamanthys campaign
[Email] commit authors and accounts – [email protected], [email protected]
[Password] yanabibika (password for decrypted archives)
[SHA256] 98B7488B1A18CB0C5E360C06F0C94D19A5230B7B15D0616856354FB64929B388 (Example in Rhadamanthys release)