New Stealthy GodLoader Malware Targets Multiple Platforms

New Stealthy GodLoader Malware Targets Multiple Platforms

GodLoader malware, discovered by Check Point, stealthily infects Windows, macOS, Linux, Android, and iOS, using the Godot Engine to evade antivirus detection.

GodLoader Malware

GodLoader uses the Godot Engine’s scripting language, GDScript, to deliver and run malicious payloads. GDScript, similar to Python, is intended for game development but has been misused by cybercriminals to execute harmful commands.

The malware is spread through the Stargazers Ghost Network, a “Malware-as-a-Service” platform hosted on GitHub. Between September and October 2024, over 200 repositories and 225 accounts were used to distribute GodLoader.

The repositories pretended to be legitimate projects, using GitHub’s “starring” system to appear credible and trick users.

Once downloaded, GodLoader delivers its payload by embedding or loading malicious .pck files, which the Godot Engine uses to package game assets, according to Check Point researchers. These files contain encrypted GDScripts that the engine decrypts and runs. The malware also uses advanced evasion techniques, like anti-sandboxing and anti-virtual machine checks, to avoid detection.

GodLoader’s most alarming feature is its cross-platform functionality. The Godot Engine lets developers easily export projects to multiple platforms, which attackers have exploited to target:

  • Windows: Initial samples delivered payloads on Windows devices.
  • macOS and Linux: Proof-of-concept attacks showed similar methods work with minor tweaks.
  • Android: Not fully developed yet, but researchers believe an Android version is possible.
  • iOS: Deployment is challenging due to Apple’s strict App Store policies but still poses a potential risk.

GodLoader’s versatility enables attackers to target multiple operating systems effectively.

The Stargazers Ghost Network distributed GodLoader through GitHub between June and October 2024, running campaigns with repositories hosting malicious files. Automated bots updated these repositories to look legitimate and lure users.

GodLoader starts by delivering an archive with executable files and .pck resources. When executed, it decrypts the .pck file, runs malicious GDScripts, and downloads extra payloads like XMRig miners or RedLine credential stealers.

Exploiting the Godot Engine, GodLoader threatens over 1.2 million users of Godot-developed games. Attackers could swap legitimate .pck files with malicious ones or infect game mods.

Its stealth adds to the risk—some infected files were downloaded over 17,000 times without detection, according to Check Point researchers.

Mitigation Strategies

To safeguard against threats like GodLoader:

  1. Keep systems updated: Regularly update operating systems, browsers, and applications to patch known vulnerabilities.
  2. Download from trusted sources: Only download software from official or verified sources to reduce the risk of malicious files.
  3. Use advanced endpoint protection: Employ robust security solutions that detect and block sophisticated threats like GodLoader.
  4. Raise awareness: Train employees and users to recognize phishing attempts, fake websites, and suspicious downloads.
  5. Secure game assets: Developers using the Godot Engine should encrypt .pck files with asymmetric encryption to prevent unauthorized modifications.

Implementing these measures reduces the risk of infection and helps protect devices and users from emerging malware threats.

IOCs

DescriptionValue
Archive distributed by Stargazers Ghost Network260f06f0c6c1544afcdd9a380a114489ebdd041b846b68703158e207b7c983d6
Launcherkks.exe3317b8e19e19218e5a7c77a47a76f36e37319f383b314b30179b837e46c87c45
Launcherkks.pck0d03c7c6335e06c45dd810fba6c52cdb9eafe02111da897696b83811bff0be92
RedLine604fa32b76dbe266da3979b7a49e3100301da56f0b58c13041ab5febe55354d2
6be9c015c82645a448831d9dc8fcae4360228f76dff000953a76e3bf203d3ec8
XMRigb1a351ee61443b8558934dca6b2fa9efb0a6d2d18bae61ace5a761596604dbfa
RedLine C&Cs147.45.44.83:6483
185.196.9.26:6302

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!