Antonis Terefos
Last known affiliation: Checkpoint
Bio: Antonis Terefos is a malware reverse engineer at Check Point Research with experience in the cyber threat landscape. He specializes in dissecting and analyzing malicious software to uncover hidden threats within the ever-evolving cyber threat landscape. In addition to his professional work, Antonis enjoys testing malware command-and-control (C2) infrastructures in his spare time. By exploring these C2 systems, he gains valuable insights into the strategies and tactics employed by threat actors, enriching his overall understanding of the adversarial landscape.
Antonis Terefos 🗣
Abstract (click to view)
A new era of malware distribution is here, where “ghost”/bot accounts spread malicious links across multiple platforms. The Ghost Network is a sophisticated operation using fake and compromised accounts to act in a legitimate way while spreading and promoting malware. The first discovered Ghost Network operates on GitHub. The operator behind Stargazers Ghost Network controls over 30,000 GitHub accounts, driving rapid infections and generating significant profits in a remarkably short period. What makes this operation particularly dangerous is its ability to bypass platform defenses, minimizing the impact of any countermeasures imposed by GitHub. The continuous activity and low downtime of the distribution process allow the malware campaign to persist with little interruption. The success of the original GitHub-based Ghost Network has spurred its expansion to multiple other platforms, broadening the reach of this insidious malware distribution method and making it harder to contain.
Antonis Terefos 🗣 | Alexandr Shamshur
Abstract (click to view)
In this presentation, we will discuss our recent discovery of a novel malware-loading technique that leverages the Godot Engine—a popular open-source game development platform—to execute malicious commands and deliver payloads through crafted GDScript code. This method, deployed via a loader dubbed GodLoader, has remained largely undetected by antivirus solutions on VirusTotal and has infected over 17,000 machines since June 29, 2024.
The threat actor behind GodLoader has been distributing the malware through the Stargazers Ghost Network, a Distribution-as-a-Service (DaaS) network that exploits GitHub’s community features to legitimize malicious repositories. This network utilized 200 repositories and over 225 Stargazer accounts throughout September and October to mask malware as legitimate software, targeting developers, gamers, and general users.
Godot Engine is designed for 2D and 3D game development, allowing developers to export games across multiple platforms, including Windows, macOS, Linux, Android, iOS, and HTML5. This cross-platform functionality, combined with the engine’s Python-like GDScript, can enable attackers to effectively deploy malware across diverse operating systems.