Aug 19, 2025Ravie LakshmananMalware / Cyber Assault
Monetary establishments like buying and selling and brokerage companies are the goal of a brand new marketing campaign that delivers a beforehand unreported distant entry trojan known as GodRAT.
The malicious exercise includes the “distribution of malicious .SCR (display saver) recordsdata disguised as monetary paperwork through Skype messenger,” Kaspersky researcher Saurabh Sharma mentioned in a technical evaluation printed as we speak.
The assaults, which have been lively as not too long ago as August 12, 2025, make use of a way known as steganography to hide inside picture recordsdata shellcode used to obtain the malware from a command-and-control (C2) server. The display saver artifacts have been detected since September 9, 2024, focusing on nations and territories like Hong Kong, the United Arab Emirates, Lebanon, Malaysia, and Jordan.
Assessed to be primarily based on Gh0st RAT, GodRAT follows a plugin-based strategy to enhance its performance as a way to harvest delicate data and ship secondary payloads like AsyncRAT. It is price mentioning that Gh0st RAT had its supply code leaked publicly in 2008 and has since been adopted by varied Chinese language hacking teams.
The Russian cybersecurity firm mentioned the malware is an evolution of one other Gh0st RAT-based backdoor often called AwesomePuppet that was first documented in 2023 and is probably going believed to be the handiwork of the prolific Chinese language risk actor, Winnti (aka APT41).
The display saver recordsdata act as a self-extracting executable incorporating varied embedded recordsdata, together with a malicious DLL that is sideloaded by a authentic executable. The DLL extracts shellcode hidden inside a .JPG picture file that then paves the best way for the deployment of GodRAT.
The trojan, for its half, establishes communication with the C2 server over TCP, collects system data, and pulls the checklist of put in antivirus software program on the host. The captured particulars are despatched to the C2 server, after which the server responds with follow-up directions that enable it to –
Inject a obtained plugin DLL into reminiscence
Shut the socket and terminate the RAT course of
Obtain a file from a offered URL and launch it utilizing the CreateProcessA API
Open a given URL utilizing the shell command for opening Web Explorer
One of many plugins downloaded by the malware is a FileManager DLL that may enumerate the file system, carry out file operations, open folders, and even run searches for recordsdata at a specified location. The plugin has additionally been used to ship further payloads, similar to a password stealer for Google Chrome and Microsoft Edge browsers and the AsyncRAT trojan.
Kaspersky mentioned it found the entire supply code for the GodRAT shopper and builder that was uploaded to the VirusTotal on-line malware scanner in late July 2024. The builder can be utilized to generate both an executable file or a DLL.
When the executable possibility is chosen, customers have the selection of choosing a authentic binary from an inventory to which the malicious code is injected into: svchost.exe, cmd.exe, cscript.exe, curl.exe, wscript.exe, QQMusic.exe and QQScLauncher.exe. The ultimate payload will be saved with one of many following file varieties: .exe, .com, .bat, .scr, and .pif.
“Previous implant codebases, similar to Gh0st RAT, that are almost 20 years outdated, proceed for use as we speak,” Kaspersky mentioned. “These are sometimes custom-made and rebuilt to focus on a variety of victims.”
“These outdated implants are identified to have been utilized by varied risk actors for a very long time, and the GodRAT discovery demonstrates that legacy codebases like Gh0st RAT can nonetheless preserve a protracted lifespan within the cybersecurity panorama.”
