The “Stargazer Goblin” operation, also known as a Distribution as a Service (DaaS) model, enables threat actors to share malicious links and software. This network comprises over 3,000 active accounts engaging in activities such as starring, forking, and subscribing to malicious repositories, giving them the appearance of legitimacy.

This technique is used to entice victims into downloading various types of malware including Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine. The operation was initially detected on a smaller scale in August 2022, with public advertisements for the service appearing in July 2023.

Check Point Research has estimated that from mid-May to mid-June 2024, the network earned approximately $8,000, with total profits since its inception likely reaching around $100,000. According to Check Point, the Microsoft-owned GitHub has long been used as a platform for distributing malicious code, but the Stargazers Ghost Network represents an evolution in these tactics.

The network creates a facade of legitimacy through a high number of “stars” and interactions with repositories. These repositories often contain phishing templates with malicious download links that redirect to encrypted archives, evading detection.

The malicious links were likely shared through platforms such as Discord, targeting users interested in increasing their followers on social media. Alexander Chailytko, Cyber Security, Research & Innovation Manager at Check Point Research, expressed concern about the use of a large source code platform like GitHub, with more than 14 million visitors per day, for malware distribution.

He highlighted the potential global impact of this threat, warning that it could lead to ransomware infections, stolen credentials, and compromised cryptocurrency wallets due to its precise targeting.