hacking, hacker, computer, internet, security, data, technology, network, password, crime, hack, protection, spyware, spy, privacy, pc, firewall, computer security, cyber, data security, code, black computer, black technology, black laptop, black data, black network, black internet, black security, black code, black coding, hacking, hacking, hacking, hacking, hacker, hacker, hacker, hacker, hacker, hack, spyware, spy, firewall, cyber, cyber
| |

GodRAT Trojan with Gh0st RAT code uses steganography to target brokerage firms

Byinfosectoday.com

Financial institutions, particularly trading and brokerage firms, are currently facing a new threat from a remote access trojan known as GodRAT. This malware campaign involves the distribution of malicious .SCR (screen saver) files disguised as financial documents through Skype messenger, as reported by Kaspersky researcher Saurabh Sharma. The attacks have been active as recently as August 12, 2025, and utilise steganography to conceal shellcode within image files, which is then used to download the malware from a command-and-control (C2) server. Since September 9, 2024, these screen saver artifacts have targeted regions including Hong Kong, the United Arab Emirates, Lebanon, Malaysia, and Jordan. GodRAT is assessed to be based on Gh0st RAT and employs a plugin-based approach to enhance its functionality, allowing it to harvest sensitive information and deliver secondary payloads like AsyncRAT.

Kaspersky has indicated that GodRAT is an evolution of another Gh0st RAT-based backdoor called AwesomePuppet, first documented in 2023, and is likely linked to the Chinese threat actor known as Winnti (also referred to as APT41). The screen saver files function as self-extracting executables that incorporate various embedded files, including a malicious DLL sideloaded by a legitimate executable. This DLL extracts shellcode hidden within a .JPG image file, facilitating the deployment of GodRAT. Once activated, the trojan establishes communication with the C2 server over TCP, collects system information, and retrieves a list of installed antivirus software. The captured data is sent back to the C2 server, which then issues follow-up instructions, enabling the malware to inject plugins, download files, and execute various commands. One notable plugin, the FileManager DLL, can perform file operations and has been used to deliver additional payloads, including a password stealer for Google Chrome and Microsoft Edge browsers. Kaspersky discovered the complete source code for the GodRAT client and builder uploaded to the VirusTotal online malware scanner in late July 2024, allowing users to generate either an executable file or a DLL with injected malicious code. 

Similar Posts