GodRAT, a recently discovered remote access Trojan derived from the Gh0st RAT framework, has been actively targeting financial institutions since late 2024. The campaign leverages malicious .scr and .pif files delivered via Skype to initiate infections. By embedding shellcode within images through steganography, the malware ensures covert payload delivery and execution. Featuring modular plugins, credential theft capabilities, and AsyncRAT as a fallback implant, GodRAT shows strong associations with AwesomePuppet and the Winnti APT group, highlighting the continuous evolution of legacy malware families to support prolonged cyber-espionage operations.
Technical Description
Since late 2024, a sustained campaign has targeted financial organizations particularly trading and brokerage firms through malicious files disguised as legitimate financial documents. Distributed primarily via Skype, these .scr and .pif executables acted as delivery mechanisms for a new Remote Access Trojan (RAT) dubbed GodRAT, an evolved variant of the Gh0st RAT family. This campaign highlights how legacy malware frameworks continue to resurface with advanced capabilities to support modern cyber-espionage efforts.
Delivery and Infection Chain:
Attackers leveraged steganography to conceal malicious shellcode within image files, enabling stealthy delivery and execution. Upon opening the infected file, the loader contacted remote Command-and-Control (C2) servers, fetched the GodRAT payload, and injected it into memory for execution.
Two primary loader types were observed:
- Embedded Shellcode Loaders – with hardcoded XOR keys for decoding and in-memory injection.
- Image-Based Loaders – extracting hidden shellcode from tampered files (e.g., SDL2.dll) paired with legitimate executables like Valve.exe signed with expired certificates to evade detection.
Technical Capabilities:
GodRAT operates in a multi-stage architecture:
- Initial shellcode retrieves configuration data containing C2 IP, port, and parameters.
- The malware initiates communication by sending a GETGOD request, receives secondary payloads, and performs reflective DLL injection, often into curl.exe or cmd.exe for stealth.
- The RAT includes a rare -Puppet parameter, reinforcing its connection to the AwesomePuppet lineage.
Once active, GodRAT collects and exfiltrates extensive host and user information, including OS details, process IDs, antivirus presence, and user credentials, encoding the data multiple times before transmission.
Modular Plugins and Secondary Payloads:
The malware is highly modular, with plugins extending its functionality:
- FileManager Plugin – Allows attackers to browse directories, move, delete, or execute files, and create directories both visibly and invisibly.
- Credential Theft Modules – Extract login credentials from Google Chrome and Microsoft Edge using browser databases and decryption keys.
- AsyncRAT Integration – Deployed as a backup implant, providing redundancy and disabling AMSI and ETW logging for improved persistence and defense evasion.
Attribution and Evolution:
Analysis shows strong overlaps between GodRAT and AwesomePuppet, another Gh0st RAT-derived malware first reported in 2023. Both leverage similar delivery techniques and share code-level similarities. These indicators link GodRAT activity to the Winnti APT group, known for long-term espionage campaigns across multiple sectors.
Active Campaign and Geographic Spread:
The campaign remains ongoing as of August 2025, with detections reported in Hong Kong, the UAE, Jordan, Lebanon, and Malaysia. Attackers commonly use file names mimicking financial records such as “2023-2024ClientList.scr” to lure victims into executing the payload
Accessibility and Proliferation:
A critical factor in GodRAT’s spread is the public leak of its source code and builder on an online malware scanning service in mid-2024. This builder allows threat actors to customize payloads, choose injection processes, and generate malicious files in .exe, .scr, or .pif formats. This availability has fueled broader adoption among multiple threat groups, reinforcing how legacy malware toolkits continue to circulate and evolve within underground ecosystems.
Conclusion:
GodRAT represents the ongoing evolution of legacy malware, combining the Gh0st RAT foundation with modern techniques like steganography, modular plugins, and backup implants to support stealthy and persistent attacks. Its public builder release has accelerated adoption among multiple threat actors, expanding its reach across regions and industries. The campaign’s active status and links to groups like Winnti APT highlight its role in long-term cyber-espionage operations. Organizations, particularly in the financial sector, should prioritize advanced detection, network segmentation, and regular threat hunting to mitigate such evolving threats.
Impact
GodRAT poses a significant risk to financial institutions by enabling data theft, credential harvesting, and long-term unauthorized access to critical systems. Its modular architecture and stealth techniques allow attackers to expand capabilities, evade detection, and maintain persistence. The use of publicly available builders increases its adoption, amplifying the threat landscape. If left unaddressed, infections could lead to financial fraud, data breaches, and operational disruptions.
IOC and Context Details
| Topics |
Details |
| Tactic Name |
Exfiltration, Persistence, Execution, Defense Evasion, Discovery, Collection, Initial Access, Command and Control
|
| Technique Name |
Exfiltration: Exfiltration Over C2 Channel
Persistence: Boot or Logon Autostart Execution
Execution: System Services, User Execution
Defense Evasion: Indicator Removal, Deobfuscate/Decode Files or Information, Masquerading, Impair Defenses
Discovery: File and Directory Discovery, System Information Discovery, Query Registry
Collection: Data from Local System
Initial Access: Phishing
Command and Control: Application Layer Protocol
|
| Sub Technique Name |
Persistence: Boot or Logon Autostart Execution – Registry Run Keys / Startup Folder
Execution: System Services – Service Execution
Execution: User Execution – Malicious File
Defense Evasion: Indicator Removal – File Deletion
Defense Evasion: Masquerading – Match Legitimate Resource Name or Location
Defense Evasion: Impair Defenses – Disable or Modify Tools
Initial Access: Phishing – Spearphishing Attachment
Command and Control: Application Layer Protocol – Web Protocols
|
| Attack Type |
Malware |
| Targeted Applications |
Windows |
| Region Impacted |
Jordan, Lebanon, Malaysia, United Arab Emirates, Hong Kong |
| Industry Impacted |
BFSI |
| IOC’s |
IP Addresses:
118[.]107[.]46[.]174
103[.]237[.]92[.]191
118[.]99[.]3[.]33
154[.]91[.]183[.]174
47[.]238[.]124[.]68
156[.]241[.]134[.]49
SHA-256:
da34b4041090eafb852985866dd9fc5c435b5654a4c671a2c7f73be2804e2c22
ed1dfd2e913e1c53d9f9ab5b418f84e0f401abfdf8e3349e1fcfc98663dcb23f
e26efc253a47bf311abff125f53f860c0cabaa58592b3407de1380a6d3170265
67c713a44186315d7cbfec4745b7dd199d86711f48c5f0778a71871ac3b02624
b673444daf876eeff6aa81bfcd86f68fa7e5c4c48efff183d94edfbb57d93ef5
48d0d162bd408f32f8909d08b8e60a21b49db02380a13d366802d22d4250c4e7
SHA-1:
5b4af9d5225352ce78b5009fe05ab7bbc0d9d0b1
693ad89e7810f411c828b09a2bb87e41d275f78d
e883873858e12f517efddb62be60094fc7b14f88
484dc5ae5493465b3f90f74b0b0f612f2f8cdbfe
21a390cd3c56a5277c88f201a67b864e4511ee4b
1611bd37a9726a2ecff17de499f6f2b2af16a988
MD5:
961188d6903866496c954f03ecff2a72
441b35ee7c366d4644dca741f51eb729
04bf56c6491c5a455efea7dbf94145f1
5f7087039cb42090003cc9dbb493215e
160a80a754fd14679e5a7b5fc4aed672
bb23d0e061a8535f4cb8c6d724839883
Domain: wuwu6[.]cfd
|
| CVE |
NA |
Recommended Actions
- Maintain Systems and Certificates: Regularly patch operating systems, browsers, and third-party applications, and monitor for expired or unauthorized digital certificates.
- Enhance Email and Messaging Security: Implement robust filtering on corporate communication tools, including Skype, to block suspicious attachments like .scr and .pif files.
- Educate Employees on Social Engineering: Conduct ongoing training for staff, especially in finance, to identify phishing attempts and malicious documents.
- Strengthen Endpoint Defenses: Deploy advanced endpoint protection with behavioral analysis to detect unauthorized process injections and steganography-based loaders.
- Monitor Network Traffic: Actively watch outbound connections for unusual C2 communications or encoded data sent to suspicious IP addresses.
- Restrict Execution of Risky Files: Enforce group policies to prevent execution of high-risk file types and disguised executables.
- Implement Strong Credential Protection: Apply multi-factor authentication (MFA) and enforce secure password policies to reduce the impact of stolen credentials.
- Proactive Threat Hunting: Search for known GodRAT and AsyncRAT indicators, including malicious DLLs, persistence mechanisms, or abnormal process activity.
References
