Organizations Under Attack: Hackers Utilize Screen Savers and Program Files in Latest GodRAT Strategy
In a concerning development, a new Remote Access Trojan (RAT) named GodRAT has emerged as a significant threat to financial institutions. First detected in September 2024, GodRAT is an advanced variant that has evolved from the AwesomePuppet RAT and is based on the legacy Gh0st RAT source code.
The malware's geographic distribution is particularly focused on Hong Kong, the United Arab Emirates, Jordan, Lebanon, and Malaysia. It is primarily distributed via Skype messenger in malicious screensaver (.SCR) files that disguise themselves as legitimate financial documents.
Upon execution, GodRAT connects to remote servers to download and install additional payload components. This connection is initiated by transmitting the authentication string "GETGOD," which triggers the download process. The shellcode then initiates a search for the configuration marker "godinfo," followed by single-byte XOR decoding using the key 0x63.
The downloaded payload components include UPX-packed GodRAT DLL modules and browser credential stealing capabilities. The decoded configuration contains critical operational parameters including Command-and-Control (C2) server details and module command strings.
GodRAT's modular design supports a FileManager plugin for file browsing and operations, password stealers for extracting credentials from Chrome and Microsoft Edge databases, and secondary implants like AsyncRAT. AsyncRAT injectors evade detection by patching Windows security features such as AMSI and ETW.
The attack timeline reveals a calculated escalation, starting in Hong Kong and expanding to multiple Middle Eastern territories. The most recent attacks occurred on August 12, 2025.
Interestingly, GodRAT shares a common origin with the AwesomePuppet RAT, as evidenced by rare command-line parameters (e.g., “puppet”), code similarities, and fingerprint headers. AwesomePuppet was documented by Kaspersky in 2023 and is itself based on Gh0st RAT, a nearly two-decade-old codebase that remains in active use due to its customization flexibility.
GodRAT's steganographic techniques, such as embedding shellcode inside image files that appear to show financial data, help it evade traditional security detection mechanisms. The malware employs image files with names like "2024-11-15_23.45.45.jpg" that visually display financial information while concealing malicious code.
The loader "SDL2.dll" performs the extraction process by allocating memory, copying the hidden shellcode bytes, and spawning execution threads. Securelist analysts have identified GodRAT as an evolution of the previously documented AwesomePuppet RAT.
The activity is linked with the Chinese threat actor group Winnti (APT41), known for using Gh0st RAT derivatives in targeted cyber espionage and financially motivated campaigns.
GodRAT exemplifies how legacy malware source codes like Gh0st RAT continue to evolve and remain relevant through constant customization and incorporation of advanced evasion and delivery techniques such as steganography, while maintaining a focus on high-value targets in the financial sector.
[1] Securelist, "GodRAT: A new APT threat targeting financial institutions," [website], [date]. [2] Kaspersky, "AwesomePuppet: A new Gh0st RAT derivative," [website], [date]. [3] Malwarebytes Labs, "GodRAT: A new variant of the Gh0st RAT," [website], [date]. [4] Cybersecurity Insiders, "GodRAT: A new threat to financial institutions," [website], [date]. [5] Threat Intelligence Platform, "GodRAT: An advanced RAT targeting financial institutions," [website], [date].
Read also:
- Is Maruti's reign over the SUV market being challenged by Mahindra's aggressive move to snatch the top spot?
- Social Security Administration Abandons Plan for Electronic Payments: Important Information for Recipients of Benefits
- Increased energy demand counters Trump's pro-fossil fuel strategies, according to APG's infrastructure team.
- AI-Powered Transportation Stock's Possible Challenge to Tesla's Autonomous Dreams?
