Stargazer Goblin

Stargazer Goblin is a sophisticated malware entity that has been operating since August 2022. It has leveraged GitHub, a platform typically considered legitimate, to distribute various malware families, including Atlantida Stealer, Rhadamanthys infostealer, RisePro, Redline, and Lumma Stealer. This malicious actor created an elaborate network of ghost accounts across multiple platforms such as GitHub, Twitter, YouTube, Discord, Instagram, Facebook, and others, forming a robust Distribution as a Service (DaaS) model. Through this strategy, Stargazer Goblin bypasses suspicions of malicious activities, minimizes damage when GitHub disrupts their network, and swiftly recovers by updating broken links. The operation is strategically designed with different accounts serving distinct purposes: the first account updates phishing repositories with new links to active malicious releases, the second provides the image for phishing templates, while the third serves malware as a password-protected archive in a release. This structure allows Stargazer Goblin to quickly fix any broken links resulting from accounts or repositories being banned due to malicious activities. The total estimated profit for Stargazer Goblin from these activities is around $100,000. Notably, there were significant surges in activity on May 27, 2024, and May 31, 2024, with 621 and 555 instances respectively. These spikes suggest a possible campaign during those dates or a response to GitHub disrupting parts of Stargazer Goblin's operations. Furthermore, it is believed that the Atlantida Stealer campaigns, which targeted social media-oriented users, might have been executed by Stargazer Goblin to acquire accounts for the Ghost networks.