This research highlights the ongoing evolution of activities linked to DPRK threat actors, leading to the establishment of more organic and credible profiles.This evolution is reflected in the creation of \u201corganizations\u201d that appear to centralize commands, allowing for the development of a more realistic fa\u00e7ade.The term \u201cSuperStar\u201d is frequently used among these accounts, which led us to coin it as a name for this network of GitHub accounts associated with the activities of threat actors related to the Democratic People\u2019s Republic of Korea\u00a0(DPRK).A profile referenced in our previous investigation has been confirmed by the Unit42 research intelligence team as belonging to a campaign in which they pose as recruiters to install malware on the devices of job seekers in the tech industry<\/a>. They refer to this activity as the CL-STA-240 Contagious Interview campaign.<\/p>\n This investigation expands upon our earlier findings, in which we identified accounts with unusual follower patterns linked to DPRK Threat Actors GitHub accounts. This time, we have monitored the activities of those previously reported accounts, observing that some have been deleted while others have updated their GitHub information.<\/p>\n The accounts reported in the investigations share a following pattern, job activity and they interacted between each other, making them very different from the activity of other threat actors who uses GitHub to deliver malware (Stargazer<\/a>)<\/p>\n With this in mind, we will refer to this network of GitHub accounts associated with the activity of DPRK Threat Actors as the \u2018SuperStar Campaign\u201d. This designation is largely based on the findings surrounding their social engineering activities in\u00a0GitHub.<\/p>\n Investigation:<\/strong><\/p>\n This investigation serves as a review of the activity of several profiles reported in previous research related to DPRK Threat Actors-. We continue to uncover new accounts that exhibit certain patterns, along with recent changes indicating heightened APT activity on GitHub. Among the GitHub accounts, we have identified significant activity from one account that had been previously reported in earlier investigations.<\/p>\n Among the GitHub accounts, we observed significant activity from the following account, which had been reported in previous investigations:<\/p>\n https:\/\/github.com\/xaramore<\/a><\/p>\n Upon analyzing the accounts that follow Xaramore, we notice various types of recently created accounts. Some of these align with the previous patterns, including the following accounts:<\/p>\n Likewise, there are accounts that caught our attention because his recent and high activity\u00a0, for\u00a0example:<\/p>\n https:\/\/github.com\/shinevue<\/a><\/p>\n This profile have some interesting information and some suspicious activity at joining these \u201corganizations\u201d<\/p>\n For example the organizations he\u00a0joined:<\/p>\n https:\/\/github.com\/shinevue?tab=overview&from=2024-07-01&to=2024-07-31<\/a><\/p>\n If we focus in this organization: https:\/\/github.com\/Finalgoal23<\/a><\/p>\n Once you check the members of this organization, we have some suspicious profiles we mentioned here\u00a0before:<\/p>\n https:\/\/github.com\/orgs\/Finalgoal231\/people<\/a><\/p>\n And other accounts caught our attention, such\u00a0as:<\/p>\n We will analyze the information within this organization and then examine the profiles we mentioned.<\/p>\n Organization Activity:<\/strong> Finalgoal231<\/a><\/p>\n The organization Finalgoal231<\/a> has 18 members, the majority of whom appear to be fake profiles:<\/p>\n https:\/\/github.com\/felipedev418\/finalGoal On the other hand, some of the contributors in the README.md are using nicknames<\/strong> that are sometimes associated with their GitHub accounts:<\/p>\n https:\/\/github.com\/Finalgoal231\/finalGoal\/blame\/main\/README.md<\/a><\/p>\n While reviewing the organization\u2019s activity, we noticed several topics in the discussions panel that indicate order, coordination, and feedback among the members of this \u201corganization.\u201d This suspicious activity can be observed:<\/p>\n https:\/\/github.com\/orgs\/Finalgoal231\/discussions?discussions_q=<\/a><\/p>\n In the topic of discussion:<\/p>\n There appears to be a level of coordination, as they give each other \u201cstars\u201d and answer this\u00a0request:<\/p>\n https:\/\/github.com\/orgs\/Finalgoal231\/discussions\/98<\/a><\/p>\n Similarly, another discussion topic highlights their group communication, indicating that they seem to be coordinating through\u00a0Discord:<\/p>\n https:\/\/github.com\/orgs\/Finalgoal231\/discussions\/36<\/a><\/p>\n In another discussion thread, user Suzuki0916 states: \u201cI\u2019m trying to change the email for the project to something else\u201d<\/p>\n In the next screenshot we can see how he is trying to rewrite the entire history of his repository by replacing the old email with a new\u00a0one:<\/p>\n https:\/\/github.com\/orgs\/Finalgoal231\/discussions\/69<\/a>If we analyze the screenshot, at top there is some information regarding the PC name: SuperStar<\/strong>@DESKTOP-KS94KMD \/c\/My-Data\/Resume\/portafolio\/portafolio-Suzuki If we keep checking the screenshot, he tried to replace his old email\u00a0account:<\/p>\n It means he also owns the account of\u00a0: estebancarrizo619@gmail.com<\/a><\/p>\n https:\/\/github.com\/Nahuel61920<\/a><\/p>\n Thus, it means the account: Suzuki0916, own the account of email address: estebancarrizo619@gmail.com<\/a>. This email address links to the GitHub user https:\/\/github.com\/Nahuel61920<\/a>:<\/p>\n https:\/\/github.com\/Nahuel61920<\/a><\/p>\n Given that we know this account is controlled by Suzuki0916, there are several signs of suspicious behavior. This attempt to appear more credible, particularly with the addition of personal accounts, raises further suspicion:<\/p>\n https:\/\/github.com\/Nahuel61920<\/a><\/p>\n If we check this profile we can find him\u00a0in:<\/p>\n https:\/\/www.linkedin.com\/in\/esteban-nahuel-carrizo-69715422b\/ If we revisit and continue examining some of the discussions, we can observe how they manage multiple accounts. In this pull request, for instance, we see a user changing their username:<\/p>\n https:\/\/github.com\/Finalgoal231\/finalGoal\/pull\/74<\/a>The user <\/strong>popstar7<\/strong><\/a> changed the username of the GitHub account from oddcommitking to Luis96920<\/strong><\/p>\n Although the GitHub account [oddcommitking] no longer exists, there are still some traces left behind, such as modifications made to the README.md of the organization finalgoal231. Additionally, more suspicious accounts continue to\u00a0emerge:<\/p>\n https:\/\/github.com\/Finalgoal231\/finalGoal\/commit\/b7c548f010d29fcd3cce394392a647082c5b0945<\/a><\/p>\n It is clear that this account was previously a contributor. However, its name has been changed from oddcommitking to Luis96920.<\/p>\n In this regard, the account Luis96920 is owned and controlled by popstar7:<\/strong>https:\/\/github.com\/Luis96920<\/a><\/p>\n According to the information, this account is located in Colombia and was created on July 12,\u00a02024:<\/p>\n He also belongs to the organization that includes these suspicious profiles:<\/p>\n There is also some activity on Freelancer:<\/p>\n https:\/\/www.freelancer.hk\/u\/luis96920<\/a><\/p>\n However, on Freelancer, he goes by the name Luis Fernando M, while on GitHub, as we noted, he is identified as Luis Saavedra:<\/p>\n Upon analyzing the followers of https:\/\/github.com\/Luis96920<\/a>, we discovered several new accounts that are also based in Colombia:<\/p>\n https:\/\/github.com\/sergiourrego<\/a>And there is a an account in his followers named Onder Kayabasi:<\/strong>https:\/\/github.com\/Luis96920?tab=followers<\/a>This account had previously been tracked and linked to DPRK Threat Actors activity in our first investigation of their suspicious activity<\/a>https:\/\/github.com\/firststar19950115<\/a>This user\/account Onder Kayabasi, had been reported for attempting to recruit someone while also sending them malware, as explained by Richard\u00a0Chang:https:\/\/www.linkedin.com\/posts\/rlwchang_onder-kayabasi-ecoseeds-linkedin-activity-7206406462670057473-aARP\/?utm_source=share&utm_medium=member_desktop<\/a>This account had been deleted on GitHub; however, this new account uses the same names and descriptions of skills that had the accounts previously reported.<\/p>\n This account had previously been tracked and linked to Lazarus activity in our first investigation of suspicious activity<\/a> in\u00a0GitHub.<\/p>\n Recent research from Unit 42, threat intelligence team at Palo Alto, confirms that the profile identified in our initial investigation is linked to the CL-STA-0240 \u201cContagious Interview\u201d campaign<\/a>, attributed to threat actors from the Democratic People\u2019s Republic of Korea (DPRK). In this campaign, attackers pose as recruiters to compromise the devices of job seekers in the tech industry with\u00a0malware.<\/p>\n https:\/\/unit42.paloaltonetworks.com\/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters\/<\/a><\/p>\n The report also highlights that the attackers behind this campaign introduced a new Qt version of the BeaverTail malware as early as July\u00a02024<\/p>\n This suggests that the recent suspicious activity we observed on GitHub in this investigation is likely connected to DPRK operations, as the account in question is actively engaging (following, starring, same organization) with some profiles we previously identified in the GitHub \u201corganization\u201d finalgoal231<\/a>.<\/p>\n This organizations and network of accounts seem related to the Contagious Interview (CL-STA-0420) and Wagemole (CL-STA-0421) campaigns<\/a>. Both campaigns are linked to the North Korean state-sponsored advanced persistent threat (APT38) known as the Lazarus\u00a0Group<\/strong>.<\/p>\n The second campaign, named \u201cWagemole,\u201d involves threat actors seeking unauthorized employment with organizations in the US and other global locations, aiming for both financial gain and espionage.<\/p>\n In this context, much of this network of suspicious accounts can pivot between either of these two campaigns. Likewise, this type of organization can be more effective when it comes to selecting and targeting objectives.<\/p>\n Upon analyzing recent activity, we observe the creation of new accounts that are joining organizations as members and contributors. Additionally, suspicious organizations like Finalgoal231<\/a> have been\u00a0created.<\/p>\n This likely serves two purposes: first, to increase the credibility of these profiles, making it easier for them to blend in with real users; and second, as we\u2019ve seen, it\u2019s a coordinated way to target more specific objectives.<\/p>\n This suggests that social engineering operations may be shifting towards more organized methods of engaging with targets. By joining legitimate organizations\/contributing and creating fake ones, attackers can craft more organic and, therefore, more believable profiles.<\/p>\n As we previously demonstrated, this account @shinevue<\/a> is quite active in the organization FinalGoal231<\/a><\/p>\n https:\/\/github.com\/shinevue<\/a><\/p>\n And has joined at least seven organizations, some of which appear legitimate, while others seem suspicious<\/p>\n The organizations that some of these account follow\u00a0are<\/p>\n https:\/\/github.com\/jazzband Within these organizations, there are several accounts that are very similar to those previously reported, which are linked to activities associated with DPRK Lazarus Group operations<\/p>\n A few example of some profiles with suspicious activity found in these organizations are:<\/p>\n https:\/\/github.com\/persec10000<\/a><\/p>\n This is other related account uses similar Bio, profile image and information (richworld3ta):<\/p>\n https:\/\/github.com\/ch2888<\/a><\/p>\n These profiles are connected to their activities, and some even use the same type of images we reported in an earlier investigation<\/p>\n https:\/\/medium.com\/coinmonks\/suspicious-activity-in-github-associated-with-lazarus-group-200868dff910<\/a><\/p>\n More examples of accounts in the organizations that seem to be related to their activity:<\/p>\n https:\/\/github.com\/Topstar88<\/a><\/p>\n There are also some accounts that use the term \u201cSuperStar\u201d, which is characteristic of this campaign:<\/p>\n https:\/\/github.com\/e-nitram<\/a><\/p>\n As demonstrated, there is a clear connection between the GitHub accounts highlighted in this investigation. Additionally, there is a noticeable preference for using certain words when creating GitHub handles, images, and other visible patterns that could serve as an initial filter. However, aspects related to follower\/following activity must not be overlooked<\/p>\n A key part of analyzing the social engineering operations is that it allows us to anticipate their attack vectors long before they can even engage with us. By tracking their social engineering efforts, we can better understand the direction of their campaign and, as a result, stay one step\u00a0ahead.<\/p>\n Much of the ability to find this recent activity and suspicious accounts is due to the analysis of some key patterns within this network, which allows us to start from certain GitHub accounts and connect with accounts that display higher activity.<\/p>\n Below is a list of suspicious accounts linked to DPRK\u200a\u2014\u200aAPT threat actors operation on GitHub, identified in this investigation across various organizations and their follower networks. These accounts have been categorized based on prior investigations, account activity, follower\/following patterns, profile details, images\/bios, GitHub handles, location associations, and other internal\u00a0factors<\/p>\n Suspicious GitHub accounts related to Lazarus operations found in this investigation:<\/p>\n https:\/\/github.com\/firststar19950115 It is important to note that this is just a sample, highlighting the activity of some suspicious accounts. However, the total number of suspicious accounts is much larger, and the full list remains confidential for investigative purposes<\/p>\n The purpose of developing this type of analysis is that it allows us to gather much more information about the attacker through additional data\u200a\u2014\u200a\u2018unrevealed\u2019 by them\u200a\u2014\u200abefore they can approach or interact with us. In this sense, it is useful to obtain more context about these accounts without relying solely on the false identities the attacker provides.<\/p>\n A contextual analysis of the individual sometimes can be more accurate than attempting to verify the false or stolen identities used by these attackers. Therefore, a holistic intelligence analysis must go beyond traditional or automated background checks.<\/p>\n ps:I\u2019d like to thank blackbigswan<\/a> for helping me with dumping the data from these GitHub\u00a0accounts<\/p>\n Reviewing the activity of GitHub accounts associated with Lazarus<\/a> was originally published in Coinmonks<\/a> on Medium, where people are continuing the conversation by highlighting and responding to this story.<\/p>","protected":false},"excerpt":{"rendered":" There is a network of GitHub accounts tied to threat actors associated with the Democratic People\u2019s Republic of Korea (DPRK), used for social engineering, which we will refer to as the \u2018SuperStar Campaign\u2019. This name stems from findings and self-references within the network of accounts. Key Points This research highlights the ongoing evolution of activities […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-32068","post","type-post","status-publish","format-standard","hentry","category-interesting"],"_links":{"self":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/32068"}],"collection":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=32068"}],"version-history":[{"count":0,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/32068\/revisions"}],"wp:attachment":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=32068"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=32068"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=32068"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
https:\/\/github.com\/shinevue\/finalGoal
https:\/\/github.com\/popstar7\/finalGoal
https:\/\/github.com\/techietrend\/finalGoal
https:\/\/github.com\/chivalrousdev\/finalGoal
https:\/\/github.com\/blackghost2693\/finalGoal
https:\/\/github.com\/Luis96920\/finalGoal
https:\/\/github.com\/chainshifu\/finalGoal
https:\/\/github.com\/creative2113\/finalGoal
https:\/\/github.com\/gitMan-stack\/finalGoal
https:\/\/github.com\/Johnhvy\/finalGoal
https:\/\/github.com\/appleseed619\/finalGoal
https:\/\/github.com\/BlackGhost2693\/finalGoal
https:\/\/github.com\/Suzuki0916\/finalGoal
https:\/\/github.com\/grasshousedev\/finalGoal
https:\/\/github.com\/kakashiprodev\/finalGoal
https:\/\/github.com\/shiny7star\/finalGoal
https:\/\/github.com\/goldsunshines\/finalGoal
https:\/\/github.com\/silvershiny\/finalGoalMembers of finalgoal organization<\/p>\n
It translates to Japanese:\u201cResume.\u201dThis probably indicates that the PC could be named: SuperStar@DESKTOP-KS94KMDThe terms \u2018Star,\u2019 \u2018Super,\u2019 and \u2018Dev\u2019 are often used interchangeably in the GitHub handles of several contributors and have been observed in many related accounts. Moreover, the use of a \u2018star\u2019 in profile images is a recurring feature commonly associated with GitHub accounts linked to DPRK activity.<\/p>\n
https:\/\/nahuel61920.github.io\/portafolio-Nahuel\/
https:\/\/nahuel61920.netlify.app\/
https:\/\/nahuel61920.netlify.app\/sobre-mi
https:\/\/www.instagram.com\/nahuelcarrizolc\/?hl=es-la
https:\/\/nahuel61920.github.io\/Justice\/
https:\/\/www.freelancer.co.ke\/u\/nahuel61920
https:\/\/appstorespy.com\/android-google-play\/com.motoxpress.moto_xpress-trends-revenue-statistics-downloads-ratings
https:\/\/remoteok.com\/hire-remotely\/php+sequelize<\/p>\nPart II: Analyzing suspicious profiles within these organizations:<\/h3>\n
Suspicious accounts in organizations<\/h4>\n
https:\/\/github.com\/EddieHubCommunity
https:\/\/github.com\/Design-and-Code
https:\/\/github.com\/App-Choreography
https:\/\/github.com\/Magic-Academy
https:\/\/github.com\/infraform
https:\/\/github.com\/AccessibleForAll
https:\/\/github.com\/yfosp
https:\/\/github.com\/FearlessTech
https:\/\/github.com\/Finalgoal231<\/p>\nPart III: Analyzing suspicious profiles within these organizations:<\/h3>\n
https:\/\/github.com\/persec10000
https:\/\/github.com\/ch2888
https:\/\/github.com\/Topstar88
https:\/\/github.com\/Nahuel61920
https:\/\/github.com\/felipedev418
https:\/\/github.com\/shinevue
https:\/\/github.com\/popstar7
https:\/\/github.com\/techietrend
https:\/\/github.com\/chivalrousdev
https:\/\/github.com\/blackghost2693
https:\/\/github.com\/Luis96920
https:\/\/github.com\/chainshifu
https:\/\/github.com\/creative2113
https:\/\/github.com\/gitMan-stack
https:\/\/github.com\/Johnhvy
https:\/\/github.com\/appleseed619
https:\/\/github.com\/BlackGhost2693
https:\/\/github.com\/Suzuki0916
https:\/\/github.com\/grasshousedev
https:\/\/github.com\/kakashiprodev
https:\/\/github.com\/shiny7star
https:\/\/github.com\/goldsunshines
https:\/\/github.com\/silvershiny
https:\/\/github.com\/kingp08
https:\/\/github.com\/GoodLuck0129
https:\/\/github.com\/teamchong
https:\/\/github.com\/web3batman
https:\/\/github.com\/ChallengeHandler
https:\/\/github.com\/cedev935
https:\/\/github.com\/deepsea514
https:\/\/github.com\/bojanterzic529
https:\/\/github.com\/ChallengeHandler
https:\/\/github.com\/SacredDevKing
https:\/\/github.com\/ChallengeHandler
https:\/\/github.com\/sminio
https:\/\/github.com\/SacredDever
https:\/\/github.com\/SacredDevKing <\/p>\nConclusion<\/h4>\n