Stargazers Ghost Network

July 24, 2024, 5:18 p.m.

Description

Check Point Research identified a sophisticated network of GitHub accounts distributing malware through malicious repositories. The Stargazers Ghost Network consists of different types of accounts performing various actions like starring, forking, and subscribing to give an appearance of legitimacy. This network functions as a Distribution as a Service (DaaS), allowing threat actors to share malicious content. The operator, tracked as Stargazer Goblin, provides and maintains the network, distributing malware families like Atlantida Stealer, Rhadamanthys, Lumma Stealer, and RedLine. With over 3,000 active Ghost accounts, the network has earned an estimated $100,000 since its inception in August 2022. This new era of malware distribution utilizes ghost accounts across platforms, potentially employing AI for targeted campaigns.

External References

https://research.checkpoint.com/2024/stargazers-ghost-network/
https://otx.alienvault.com/pulse/66a1340291e4d22ac1862e84
Tags
infostealers
2024-07-24
botnets

Date

  • Created: July 24, 2024, 5:04 p.m.
  • Published: July 24, 2024, 5:04 p.m.
  • Modified: July 24, 2024, 5:18 p.m.

Indicators

  • ab59a8412e4f8bf3a7e20cd656edacf72e484246dfb6b7766d467c2a1e4cdab0
  • 98b7488b1a18cb0c5e360c06f0c94d19a5230b7b15d0616856354fb64929b388
  • a484fa09be45608e23d8e67cd28675fa3e3c4111af396501385256ce34ff1d95
  • 8d8d7eb1180c13ed629dceac6c399c656692a6476c49047e0822bec6156a253a
  • 64a49ff6862b2c924280d5e906bc36168112c85d9acc2eb778b72ea1d4c17895
  • 385ebe3d5bd22b6a5ae6314f33a7fa6aa24814005284c79edaa5bdcf98e28492
  • 2f5624dcda1d58a45491028acc63ff3f1f89f564015813c52eebd80f51220383
  • 2ebf051f6a61fa825c684f1d640bfb3bd79add0afcff698660f83f22e6544cba
  • 2b6c8aa2ac917d978dfec53cef70eaca36764a93d01d93786cc0d84da47ce8e6
  • 148c456e83e746a63e54ec5abda801731c42f3778e8eb0bf5a5c731b9a48c45d
  • 060de3b4cf3056f24de882b4408020cee0510cb1ff0e5007c621bc98e5b4bdf3
  • 89.23.98.116
  • 147.45.44.73
  • 147.78.103.199
  • 147.45.47.64
  • 185.172.128.95
  • vivaciousdqugilew.shop
  • understanndtytonyguw.shop
  • sturdyregularrmsnhw.shop
  • stickyyummyskiwffe.shop
  • standingcomperewhitwo.shop
  • slamcopynammeks.shop
  • relaxtionflouwerwi.shop
  • patternapplauderw.shop
  • messtimetabledkolvk.shop
  • maestrascreciendoenamor.com
  • macabrecondfucews.shop
  • lamentablegapingkwaq.shop
  • innerverdanytiresw.shop
  • horsedwollfedrwos.shop
  • greentastellesqwm.shop
  • distincttangyflippan.shop
  • detailbaconroollyws.shop
  • deprivedrinkyfaiir.shop
  • considerrycurrentyws.shop
  • clouds-folder.com
  • sideindexfollowragelrew.pw
Download all indicators here!

Attack Patterns

  • Atlantida Stealer
  • Lumma Stealer
  • RedLine
  • RisePro
  • Rhadamanthys
  • Stargazer Goblin
  • T1568
  • T1086
  • T1490
  • T1010
  • T1012
  • T1189
  • T1497
  • T1491
  • T1489
  • T1106
  • T1057
  • T1105
  • T1071
  • T1055
  • T1498
  • T1204
  • T1027
  • T1566
  • T1003
  • T1059