Stargazers Ghost Network

Threat Actor updated a month ago (2024-08-14T11:18:04.837Z)

Download STIX

Preview STIX

The Stargazers Ghost Network, identified by Check Point Research (CPR), is a malicious network of GitHub accounts that distribute malware and harmful links through phishing repositories. The network has been operating since at least August 2022, but its first public advertisement occurred in July 2023. This group uses multiple GitHub accounts to star and verify a malicious repository, thereby enhancing its perceived legitimacy. Most repositories on the Stargazers Ghost Network use tags that ensure they appear at the top of GitHub searches, making them more likely to be clicked on by unsuspecting users. The Stargazers Ghost Network has successfully distributed a variety of malware families, including Atlantida Stealer, Rhadamanthys infostealer, RisePro, Redline, and Lumma Stealer. The network operates as a Distribution-as-a-Service (DaaS) system, charging for services such as starring a repository with numerous accounts or providing an account with an aged repository, which is generally more trusted than a new one. This unique approach to malware distribution has marked a new era in cybercrime, where malicious repositories are made to appear legitimate through organic activity like starring and forking. Despite actions taken by GitHub to disrupt their operations, the Stargazers Ghost Network has managed to minimize their losses by distributing activities across different profiles and accounts. As a result, usually only one part of their operation is disrupted instead of all involved accounts. The network's campaigns have proven extremely successful, with total estimated profits around $100,000 since it started operating publicly in July 2023. With its innovative and effective strategies, the Stargazers Ghost Network represents a significant threat in the landscape of cybercrime.

Description last updated: 2024-08-14T08:43:39.207Z

What's your take? (Question 1 of 4)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Ghost	2	"Ghost" is a potent malware that has been plaguing the digital world. In 2020, the first signs of its impending threat emerged with the planning of a large bilateral CDU/MDANG Ex Cyber Ghost operation. However, it wasn't until Check Point Research (CPR) identified a network of GitHub accounts, dubbe

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Phishing

Github

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Rhadamanthys	Unspecified	2	Rhadamanthys is a type of malware, specifically an information stealer, that has been used in cyber attacks against various organizations. It was initially disseminated through phishing and spam emails before the authors switched to using malicious advertisements as the primary infection vector. Thi

Source Document References

Information about the Stargazers Ghost Network Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	a month ago	Security Affairs newsletter Round 483 by Pierluigi Paganini – INTERNATIONAL EDITION
DARKReading	a month ago	'Stargazer Goblin' Amasses Rogue GitHub Accounts to Spread Malware
Checkpoint	a month ago	29th July – Threat Intelligence Report - Check Point Research
Checkpoint	2 months ago	Stargazers Ghost Network - Check Point Research