1 malware family

Stargazer Goblin

Also known asStargazer Goblin

Stargazer Goblin is the name used by Check Point for the threat actor operating the Stargazers Ghost Network, a large organization of GitHub accounts used to distribute malware through repositories themed around gaming cheats and malware. Reported activity associated or potentially associated with this actor includes use of GitHub repositories, promotion of cracked software, password-protected archives, and social-media or developer-platform amplification including TikTok and Facebook. Supporting reporting also notes overlap with campaigns delivering Lumma Stealer and other malware through GitHub-hosted lures and backdoored repositories, but attribution in those cases remains inconclusive. Sophos assessed that some 2023–2025 GitHub malware distribution activity may be linked to a Distribution-as-a-Service ecosystem such as Stargazer Goblin, a closely related operation, or another actor using a similar model. Based on the provided content, Stargazer Goblin is best characterized as a malware distribution actor tied to the Stargazers Ghost Network and GitHub-based malware delivery; no high-confidence nation-state attribution is stated in the source material.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

3 of 15 tactics4 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0042

Resource Development

1 technique

T1583

Acquire Infrastructure

TA0001

Initial Access

1 technique

T1566

Phishing

T1566.002

Spearphishing Link

TA0009

Collection

1 technique

T1560

Archive Collected Data

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

Lumma StealerA recent campaign, active at least since December 2024, is promoting LummaStealer disguised as cracked software... Upon extraction the final payload is a LummaStealer executable.2Jun 25, 2026

IOCS

Observables

49 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

49 IOCsView more in app

uri

20 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+12

Domains

15 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+7

hash.sha1

13 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+5

hash.md5

1 total

••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

sophos threat researchNews

Jan 1, 2026

The strange tale of ischhfd83: When cybercriminals eat their own – Sophos News | SOPHOS

Distribution-as-a-Service operation using GitHub accounts and repositories themed around gaming cheats and malware to distribute infostealers, with overlap noted against the backdoored repository campaign discussed in the article.

sophos threat researchNews

Jan 1, 2026

The strange tale of ischhfd83: When cybercriminals eat their own – Sophos News | SOPHOS

Operates or is associated with the ‘Stargazers Ghost Network,’ a Distribution-as-a-Service operation using GitHub repositories themed as gaming cheats and malware to distribute infostealers. The article assesses the current ischhfd83-linked campaign may be a new customer of this operation, a closely linked variant, or a rival/standalone actor using similar methods.

medium s lontzetidisNews

Feb 21, 2025

LummaStealer Campaign: Too much love for software pirates | by Efstratios Lontzetidis | Medium

Potentially linked by similarity to a LummaStealer distribution campaign that promotes cracked software via GitHub repositories, cracked forums, Facebook groups, Devpost, TikTok, and Chromium issues, using password-protected archives and MEGA-hosted payload delivery.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping3

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables49

Domains, IPs, and hashes tied to this actor, refreshed continuously.