Discover how Stargazer Goblin's 3,000+ fake GitHub accounts spread Atlantida Stealer malware through deceptive repositories and encrypted archives

Continue reading
As email-based attacks experience resilient defenses, hackers are getting creative in evading detection. That's where Stargazer Goblin enters, a group that’s turning GitHub into a malware distribution channel. Once a mere attack vector in malware distribution, GitHub has now been in the limelight.
Stargazer Goblin has devised a sophisticated Malware Distribution-as-a-Service (DaaS) system, utilizing fake "Ghost" accounts to disseminate malware. These accounts manipulate GitHub's system by starring, forking, and following repositories to appear legitimate and deceive users. Instead of directly spreading malicious software, threat actors are deploying a network of _"Ghost"_ accounts that promote malware through malicious links embedded in repositories and encrypted archives. These accounts simulate normal user behavior, lending a facade of legitimacy to their actions and the repositories they control.
Over 2,200 malicious GitHub repositories associated with Stargazer Goblin's ghost accounts were discovered.
A notable January 2024 campaign used these tactics to distribute Atlantida Stealer, a potent malware that exfiltrates passwords and personal information. This attack successfully compromised over 1,300 users in just four days, primarily through Discord channels.
Stargazer Goblin has redefined malware distribution through a network of fake accounts on GitHub. This network creates a false sense of legitimacy by using multiple accounts to _"star"_ and _"verify"_ malicious links.

*Ghost GitHub Account Participating in the Scheme*
This structure allows Stargazer Goblin to swiftly adapt to bans on accounts or repositories, ensuring minimal disruption to their operations.
The network employs automated systems to detect and mitigate the effects of banned accounts or repositories. When a malware-serving account is banned by GitHub, Stargazer Goblin updates the phishing repository with new links to active malicious releases, ensuring continued operation.
CheckPoint Research’s investigation found that a January 2024 campaign by Stargazer Goblin distributed Atlantida Stealer malware, likely targeting Twitch users via Discord. This attack chain leveraged compromised WordPress sites, raising concerns about suspicious GitHub repositories containing WordPress code.
Attack Chain Overview:
Recent commits have revealed several malicious URLs associated with Stargazer Goblin’s campaigns. Below are some instances:
ViewBot is an automated tool designed to increase social media engagement. It uses social network APIs to simulate natural interactions, including:
Warning: Using such tools to artificially inflate social media metrics may violate platform terms and result in account suspension.

*Exploits an Iframe to Load External Content and Uses VBScript to Execute PowerShell Commands for System Compromise*
This code contains suspicious elements such as:
Immediate action is required:
Please use the following commands for GitHub fee:

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.