Stargazers Ghost Network

Threat Actor updated 5 days ago (2024-11-29T13:46:20.487Z)
Download STIX
Preview STIX
The Stargazers Ghost Network, a malicious threat actor identified by Check Point Research, has been using GitHub accounts to distribute malware or malicious links through phishing repositories. This group operates and maintains the network, employing a novel technique that enhances the perceived legitimacy of their malicious activities. The group uses multiple GitHub accounts to "star" and "verify" a malicious repository, creating an illusion of authenticity which can deceive users into interacting with harmful content. Throughout September and October 2024, the Stargazers Ghost Network distributed GodLoader, a malicious loader, using this innovative method. The network operates as a Distribution-as-a-Service (DaaS), enabling the seemingly legitimate distribution of malware through GitHub repositories. The group's campaigns have shown high infection rates, demonstrating the effectiveness of this new method for gaining initial access. The network had previously distributed the same archive in campaigns on September 12, September 14, and September 29, 2024. The Stargazers Ghost Network has been active since at least August 2022, distributing various malware families including Atlantida Stealer, Rhadamanthys infostealer, RisePro, Redline, and Lumma Stealer. An advertisement from July 2023 found on a Dark Web forum revealed that the group charges for their services, indicating a commercial motive behind their activities. The group's tactics demonstrate a new era of malware distribution, utilizing organic actions like starring and forking malicious repositories to make them appear legitimate to unsuspecting users.
Description last updated: 2024-11-28T11:50:10.205Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Ghost is a possible alias for Stargazers Ghost Network. The "Ghost" malware, first discovered in 2020, is a sophisticated and successful malicious software that has been discreetly distributed via a network of GitHub accounts known as the Stargazers Ghost Network. This network utilizes open-source and legitimate software repositories to exploit trust and
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Phishing
Github
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Rhadamanthys Malware is associated with Stargazers Ghost Network. Rhadamanthys is a sophisticated and notorious malware, known for its ability to steal sensitive information. It has been utilized by various threat actors, including nation-state entities such as Iran's Void Manticore and the pro-Palestine group "Handala." Its deployment often involves phishing tactUnspecified
2
The malware Godloader is associated with Stargazers Ghost Network. Unspecified
2
Source Document References
Information about the Stargazers Ghost Network Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more