A malware distribution network hiding in plain sight โ on GitHub.
This episode unpacks the Stargazers Ghost Network, a massive Distribution-as-a-Service (DaaS) infrastructure run by a threat actor known as Stargazer Goblin. Using over 3,000 GitHub accounts, this operation pushes dangerous information-stealing malware disguised as legitimate game mods and cracked software, particularly targeting communities like Minecraft players.
At the center of the campaign are well-known infostealers such as Atlantida, Rhadamanthys, RisePro, Lumma, and RedLine. The delivery mechanism? Sophisticated Java-based loaders, GitHub phishing repositories, and links embedded across platforms like Twitch, TikTok, YouTube, and Discord.
Key insights we explore:
๐ฏ Targeted deception: Modded Minecraft downloads hiding Java loaders that drop multiple stealers
๐ธ Financial motivation: An estimated $100,000 earned by Stargazer Goblin through stolen data
๐ง Social engineering: Repository stars, forks, and watchers used to appear trustworthy
๐งช Anti-analysis: Malware designed to evade detection with anti-VM and anti-sandbox techniques
๐ Data exfiltration: Passwords, cookies, crypto wallets, VPN credentials, Discord tokens, and more
๐ Attribution: Russian-language artifacts and UTC+3 activity suggest a Russian-based operator
We also explore how GitHubโs platform was exploited, the use of password-protected archives to bypass scans, and the tiered account structure that allows malicious repositories to reappear even after bans.
With GitHub being abused at this scale โ and over 1,500 Minecraft users already infected โ this case is a wake-up call for both platforms and end users. The combination of malware-as-a-service (MaaS) and DaaS delivery is lowering the bar for cybercriminals and increasing the risk for everyone online.
#StargazersGhost #GitHubMalware #Infostealers #StargazerGoblin #MinecraftMalware #RedLine #Rhadamanthys #LummaStealer #AtlantidaStealer #JavaMalware #MalwareCampaign #CybersecurityPodcast #DaaS #MaaS #InfoSec #GamingCyberThreats #DiscordMalware