BleepingComputer reports that more than 3,000 fraudulent GitHub accounts have been leveraged by the Stargazer Goblin threat operation's Stargazers Ghost Network to facilitate the distribution of various malicious payloads, particularly information-stealing malware such as Atlantida Stealer, Lumma Stealer, RedLine, Rhadamanthys, and RisePro, since August 2022.
Stargazer Goblin used such GitHub Ghost accounts to establish the legitimacy of hundreds of repositories touted to be for social media, gaming, and cryptocurrency, according to a Check Point Research report. Further analysis revealed the fake accounts to be assigned to providing the phishing template, phishing image, or malware, with Stargazer Goblin noted by researcher Antonis Terefos to have integrated an updated malicious payload link to the phishing template-serving repository to prevent operational disruption in the event of any detection by GitHub. While more than 1,500 fake repositories have already been disrupted by GitHub since May, over 200 continue to spread malware, the report showed.
