GodRAT – Exploiting Screensavers and Program Files for Cyber Attacks on Organizations

Cybersecurity researchers have uncovered an ongoing campaign targeting financial institutions through a sophisticated Remote Access Trojan (RAT) called GodRAT, which has been actively attacking trading and brokerage firms since September 2024.

The threat actors behind this campaign have demonstrated remarkable persistence, with the most recent detection occurring as late as August 12, 2025.

Steganography and Social Engineering Drive Attack Campaign

The attackers employ a multi-layered approach, distributing malicious .scr (screensaver) and .pif (Program Information File) files disguised as legitimate financial documents through Skype messenger.

These files contain names designed to appear authentic, such as “2023-2024ClientList&.scr” and “Corporate customer transaction &volume.pif,” targeting victims’ trust in seemingly legitimate business communications.

What sets this campaign apart is the sophisticated use of steganography to embed shellcode within innocent-looking image files.

The shellcode, once extracted, establishes communication with Command-and-Control (C2) servers using the distinctive handshake “GETGOD” before downloading the full GodRAT payload.

The malware demonstrates advanced evasion techniques, including XOR encryption with hardcoded keys like “OSEDBIU#IUSBDGKJS@SIHUDVNSO*SKJBKSDS#SFDBNXFCB” and process injection capabilities.

GodRAT’s technical architecture reveals its relationship to the Gh0st RAT codebase, featuring a modular design that supports various plugins.

The FileManager plugin enables comprehensive system reconnaissance, while dedicated browser password stealers target Chrome and Microsoft Edge credentials. The malware employs sophisticated data exfiltration techniques, using zlib compression and triple XOR encoding for C2 communications.

Connection to Advanced Persistent Threats

Analysis reveals striking similarities between GodRAT and AwesomePuppet, another Gh0st RAT-based backdoor reported in 2023.

Both share the distinctive command-line parameter “-Puppet” and exhibit similar code structures, suggesting GodRAT represents an evolutionary development of AwesomePuppet.

This connection potentially links the campaign to the Winnti Advanced Persistent Threat (APT) group, known for targeting financial institutions and gaming companies.

The attackers demonstrate operational sophistication by deploying AsyncRAT as a secondary implant, ensuring persistent access even if primary infections are detected.

Geographic targeting has focused primarily on Hong Kong, the United Arab Emirates, Lebanon, Jordan, and Malaysia, suggesting a regional focus on Middle Eastern and Asian financial markets.

The discovery of GodRAT’s source code and builder tools on public platforms indicates potential availability to a broader range of threat actors.

This development raises concerns about the democratization of advanced malware capabilities. It highlights the continued relevance of legacy codebases like Gh0st RAT in modern cyber operations, nearly two decades after their initial development.

Organizations in the financial sector should implement enhanced email security measures and educate employees about social engineering tactics exploiting trusted communication platforms like Skype.

Indicator of Compromise

cf7100bbb5ceb587f04a1f42939e24ab
d09fd377d8566b9d7a5880649a0192b4 GodRAT Shellcode Injector
e723258b75fee6fbd8095f0a2ae7e53c GodRAT Self-Extracting Executable
a6352b2c4a3e00de9e84295c8d505dad

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post GodRAT – Exploiting Screensavers and Program Files for Cyber Attacks on Organizations appeared first on Cyber Security News.