There is a network of GitHub accounts tied to threat actors associated with the Democratic People’s Republic of Korea (DPRK), used for social engineering, which we will refer to as the ‘SuperStar Campaign’. This name stems from findings and self-references within the network of accounts.
Key Points
This research highlights the ongoing evolution of activities linked to DPRK threat actors, leading to the establishment of more organic and credible profiles.This evolution is reflected in the creation of “organizations” that appear to centralize commands, allowing for the development of a more realistic façade.The term “SuperStar” is frequently used among these accounts, which led us to coin it as a name for this network of GitHub accounts associated with the activities of threat actors related to the Democratic People’s Republic of Korea (DPRK).A profile referenced in our previous investigation has been confirmed by the Unit42 research intelligence team as belonging to a campaign in which they pose as recruiters to install malware on the devices of job seekers in the tech industry. They refer to this activity as the CL-STA-240 Contagious Interview campaign.
This investigation expands upon our earlier findings, in which we identified accounts with unusual follower patterns linked to DPRK Threat Actors GitHub accounts. This time, we have monitored the activities of those previously reported accounts, observing that some have been deleted while others have updated their GitHub information.
The accounts reported in the investigations share a following pattern, job activity and they interacted between each other, making them very different from the activity of other threat actors who uses GitHub to deliver malware (Stargazer)
With this in mind, we will refer to this network of GitHub accounts associated with the activity of DPRK Threat Actors as the ‘SuperStar Campaign”. This designation is largely based on the findings surrounding their social engineering activities in GitHub.
Investigation:
This investigation serves as a review of the activity of several profiles reported in previous research related to DPRK Threat Actors-. We continue to uncover new accounts that exhibit certain patterns, along with recent changes indicating heightened APT activity on GitHub. Among the GitHub accounts, we have identified significant activity from one account that had been previously reported in earlier investigations.
Among the GitHub accounts, we observed significant activity from the following account, which had been reported in previous investigations:
Upon analyzing the accounts that follow Xaramore, we notice various types of recently created accounts. Some of these align with the previous patterns, including the following accounts:
Likewise, there are accounts that caught our attention because his recent and high activity , for example:
This profile have some interesting information and some suspicious activity at joining these “organizations”
For example the organizations he joined:
https://github.com/shinevue?tab=overview&from=2024-07-01&to=2024-07-31
If we focus in this organization: https://github.com/Finalgoal23
Once you check the members of this organization, we have some suspicious profiles we mentioned here before:
https://github.com/orgs/Finalgoal231/people
And other accounts caught our attention, such as:
We will analyze the information within this organization and then examine the profiles we mentioned.
Organization Activity: Finalgoal231
The organization Finalgoal231 has 18 members, the majority of whom appear to be fake profiles:
https://github.com/felipedev418/finalGoal
https://github.com/shinevue/finalGoal
https://github.com/popstar7/finalGoal
https://github.com/techietrend/finalGoal
https://github.com/chivalrousdev/finalGoal
https://github.com/blackghost2693/finalGoal
https://github.com/Luis96920/finalGoal
https://github.com/chainshifu/finalGoal
https://github.com/creative2113/finalGoal
https://github.com/gitMan-stack/finalGoal
https://github.com/Johnhvy/finalGoal
https://github.com/appleseed619/finalGoal
https://github.com/BlackGhost2693/finalGoal
https://github.com/Suzuki0916/finalGoal
https://github.com/grasshousedev/finalGoal
https://github.com/kakashiprodev/finalGoal
https://github.com/shiny7star/finalGoal
https://github.com/goldsunshines/finalGoal
https://github.com/silvershiny/finalGoalMembers of finalgoal organization
On the other hand, some of the contributors in the README.md are using nicknames that are sometimes associated with their GitHub accounts:
https://github.com/Finalgoal231/finalGoal/blame/main/README.md
While reviewing the organization’s activity, we noticed several topics in the discussions panel that indicate order, coordination, and feedback among the members of this “organization.” This suspicious activity can be observed:
https://github.com/orgs/Finalgoal231/discussions?discussions_q=
In the topic of discussion:
There appears to be a level of coordination, as they give each other “stars” and answer this request:
https://github.com/orgs/Finalgoal231/discussions/98
Similarly, another discussion topic highlights their group communication, indicating that they seem to be coordinating through Discord:
https://github.com/orgs/Finalgoal231/discussions/36
In another discussion thread, user Suzuki0916 states: “I’m trying to change the email for the project to something else”
In the next screenshot we can see how he is trying to rewrite the entire history of his repository by replacing the old email with a new one:
https://github.com/orgs/Finalgoal231/discussions/69If we analyze the screenshot, at top there is some information regarding the PC name: SuperStar@DESKTOP-KS94KMD /c/My-Data/Resume/portafolio/portafolio-Suzuki
It translates to Japanese:“Resume.”This probably indicates that the PC could be named: SuperStar@DESKTOP-KS94KMDThe terms ‘Star,’ ‘Super,’ and ‘Dev’ are often used interchangeably in the GitHub handles of several contributors and have been observed in many related accounts. Moreover, the use of a ‘star’ in profile images is a recurring feature commonly associated with GitHub accounts linked to DPRK activity.
If we keep checking the screenshot, he tried to replace his old email account:
It means he also owns the account of : estebancarrizo619@gmail.com
https://github.com/Nahuel61920
Thus, it means the account: Suzuki0916, own the account of email address: estebancarrizo619@gmail.com. This email address links to the GitHub user https://github.com/Nahuel61920:
https://github.com/Nahuel61920
Given that we know this account is controlled by Suzuki0916, there are several signs of suspicious behavior. This attempt to appear more credible, particularly with the addition of personal accounts, raises further suspicion:
https://github.com/Nahuel61920
If we check this profile we can find him in:
https://www.linkedin.com/in/esteban-nahuel-carrizo-69715422b/
https://nahuel61920.github.io/portafolio-Nahuel/
https://nahuel61920.netlify.app/
https://nahuel61920.netlify.app/sobre-mi
https://www.instagram.com/nahuelcarrizolc/?hl=es-la
https://nahuel61920.github.io/Justice/
https://www.freelancer.co.ke/u/nahuel61920
https://appstorespy.com/android-google-play/com.motoxpress.moto_xpress-trends-revenue-statistics-downloads-ratings
https://remoteok.com/hire-remotely/php+sequelize
If we revisit and continue examining some of the discussions, we can observe how they manage multiple accounts. In this pull request, for instance, we see a user changing their username:
https://github.com/Finalgoal231/finalGoal/pull/74The user popstar7 changed the username of the GitHub account from oddcommitking to Luis96920
Although the GitHub account [oddcommitking] no longer exists, there are still some traces left behind, such as modifications made to the README.md of the organization finalgoal231. Additionally, more suspicious accounts continue to emerge:
https://github.com/Finalgoal231/finalGoal/commit/b7c548f010d29fcd3cce394392a647082c5b0945
It is clear that this account was previously a contributor. However, its name has been changed from oddcommitking to Luis96920.
In this regard, the account Luis96920 is owned and controlled by popstar7:https://github.com/Luis96920
According to the information, this account is located in Colombia and was created on July 12, 2024:
He also belongs to the organization that includes these suspicious profiles:
There is also some activity on Freelancer:
https://www.freelancer.hk/u/luis96920
However, on Freelancer, he goes by the name Luis Fernando M, while on GitHub, as we noted, he is identified as Luis Saavedra:
Upon analyzing the followers of https://github.com/Luis96920, we discovered several new accounts that are also based in Colombia:
https://github.com/sergiourregoAnd there is a an account in his followers named Onder Kayabasi:https://github.com/Luis96920?tab=followersThis account had previously been tracked and linked to DPRK Threat Actors activity in our first investigation of their suspicious activityhttps://github.com/firststar19950115This user/account Onder Kayabasi, had been reported for attempting to recruit someone while also sending them malware, as explained by Richard Chang:https://www.linkedin.com/posts/rlwchang_onder-kayabasi-ecoseeds-linkedin-activity-7206406462670057473-aARP/?utm_source=share&utm_medium=member_desktopThis account had been deleted on GitHub; however, this new account uses the same names and descriptions of skills that had the accounts previously reported.
Recent research from Unit 42, threat intelligence team at Palo Alto, confirms that the profile identified in our initial investigation is linked to the CL-STA-0240 “Contagious Interview” campaign, attributed to threat actors from the Democratic People’s Republic of Korea (DPRK). In this campaign, attackers pose as recruiters to compromise the devices of job seekers in the tech industry with malware.
The report also highlights that the attackers behind this campaign introduced a new Qt version of the BeaverTail malware as early as July 2024
This suggests that the recent suspicious activity we observed on GitHub in this investigation is likely connected to DPRK operations, as the account in question is actively engaging (following, starring, same organization) with some profiles we previously identified in the GitHub “organization” finalgoal231.
This organizations and network of accounts seem related to the Contagious Interview (CL-STA-0420) and Wagemole (CL-STA-0421) campaigns. Both campaigns are linked to the North Korean state-sponsored advanced persistent threat (APT38) known as the Lazarus Group.
The second campaign, named “Wagemole,” involves threat actors seeking unauthorized employment with organizations in the US and other global locations, aiming for both financial gain and espionage.
In this context, much of this network of suspicious accounts can pivot between either of these two campaigns. Likewise, this type of organization can be more effective when it comes to selecting and targeting objectives.
Part II: Analyzing suspicious profiles within these organizations:
Upon analyzing recent activity, we observe the creation of new accounts that are joining organizations as members and contributors. Additionally, suspicious organizations like Finalgoal231 have been created.
This likely serves two purposes: first, to increase the credibility of these profiles, making it easier for them to blend in with real users; and second, as we’ve seen, it’s a coordinated way to target more specific objectives.
This suggests that social engineering operations may be shifting towards more organized methods of engaging with targets. By joining legitimate organizations/contributing and creating fake ones, attackers can craft more organic and, therefore, more believable profiles.
Suspicious accounts in organizations
As we previously demonstrated, this account @shinevue is quite active in the organization FinalGoal231
And has joined at least seven organizations, some of which appear legitimate, while others seem suspicious
The organizations that some of these account follow are
https://github.com/jazzband
https://github.com/EddieHubCommunity
https://github.com/Design-and-Code
https://github.com/App-Choreography
https://github.com/Magic-Academy
https://github.com/infraform
https://github.com/AccessibleForAll
https://github.com/yfosp
https://github.com/FearlessTech
https://github.com/Finalgoal231
Within these organizations, there are several accounts that are very similar to those previously reported, which are linked to activities associated with DPRK Lazarus Group operations
A few example of some profiles with suspicious activity found in these organizations are:
https://github.com/persec10000
This is other related account uses similar Bio, profile image and information (richworld3ta):
These profiles are connected to their activities, and some even use the same type of images we reported in an earlier investigation
More examples of accounts in the organizations that seem to be related to their activity:
There are also some accounts that use the term “SuperStar”, which is characteristic of this campaign:
As demonstrated, there is a clear connection between the GitHub accounts highlighted in this investigation. Additionally, there is a noticeable preference for using certain words when creating GitHub handles, images, and other visible patterns that could serve as an initial filter. However, aspects related to follower/following activity must not be overlooked
Part III: Analyzing suspicious profiles within these organizations:
A key part of analyzing the social engineering operations is that it allows us to anticipate their attack vectors long before they can even engage with us. By tracking their social engineering efforts, we can better understand the direction of their campaign and, as a result, stay one step ahead.
Much of the ability to find this recent activity and suspicious accounts is due to the analysis of some key patterns within this network, which allows us to start from certain GitHub accounts and connect with accounts that display higher activity.
Below is a list of suspicious accounts linked to DPRK — APT threat actors operation on GitHub, identified in this investigation across various organizations and their follower networks. These accounts have been categorized based on prior investigations, account activity, follower/following patterns, profile details, images/bios, GitHub handles, location associations, and other internal factors
Suspicious GitHub accounts related to Lazarus operations found in this investigation:
https://github.com/firststar19950115
https://github.com/persec10000
https://github.com/ch2888
https://github.com/Topstar88
https://github.com/Nahuel61920
https://github.com/felipedev418
https://github.com/shinevue
https://github.com/popstar7
https://github.com/techietrend
https://github.com/chivalrousdev
https://github.com/blackghost2693
https://github.com/Luis96920
https://github.com/chainshifu
https://github.com/creative2113
https://github.com/gitMan-stack
https://github.com/Johnhvy
https://github.com/appleseed619
https://github.com/BlackGhost2693
https://github.com/Suzuki0916
https://github.com/grasshousedev
https://github.com/kakashiprodev
https://github.com/shiny7star
https://github.com/goldsunshines
https://github.com/silvershiny
https://github.com/kingp08
https://github.com/GoodLuck0129
https://github.com/teamchong
https://github.com/web3batman
https://github.com/ChallengeHandler
https://github.com/cedev935
https://github.com/deepsea514
https://github.com/bojanterzic529
https://github.com/ChallengeHandler
https://github.com/SacredDevKing
https://github.com/ChallengeHandler
https://github.com/sminio
https://github.com/SacredDever
https://github.com/SacredDevKing
It is important to note that this is just a sample, highlighting the activity of some suspicious accounts. However, the total number of suspicious accounts is much larger, and the full list remains confidential for investigative purposes
Conclusion
The purpose of developing this type of analysis is that it allows us to gather much more information about the attacker through additional data — ‘unrevealed’ by them — before they can approach or interact with us. In this sense, it is useful to obtain more context about these accounts without relying solely on the false identities the attacker provides.
A contextual analysis of the individual sometimes can be more accurate than attempting to verify the false or stolen identities used by these attackers. Therefore, a holistic intelligence analysis must go beyond traditional or automated background checks.
ps:I’d like to thank blackbigswan for helping me with dumping the data from these GitHub accounts
Reviewing the activity of GitHub accounts associated with Lazarus was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.