Hackers have developed a new malware known as GodLoader. It exploits the widely used Godot game engine to evade detection. The malware has infected over 17,000 systems within three months.
According to Check Point Research, the malicious actors are targeting gamers across all major platforms. This includes Windows, macOS, Linux, Android, and iOS. They leverage Godot’s flexibility and its GDScript scripting language capabilities.
This allows them to execute arbitrary code and bypass detection systems. They use the game engine’s .pck files, which package game assets to embed harmful scripts. Once loaded, these maliciously crafted files trigger harmful code on victims’ devices.
This allows attackers to steal credentials or download additional payloads. The payloads include the XMRig crypto miner. The config settings for this miner malware were hosted on a private Pastebin file.
It was uploaded in May and visited 206,913 times throughout the campaign. “Since at least June 29, 2024, cybercriminals have been taking advantage of Godot Engine. They execute crafted GDScript code which triggers malicious commands and delivers malware.
This technique has remained undetected by most antivirus tools on VirusTotal. It potentially infected more than 17,000 machines in just a few months,” Check Point Research noted. The Godot engine is favored by a large community of developers.
This is due to its open-source nature and powerful capabilities. Over 2,700 developers have contributed to it. It has around 80,000 followers on platforms like Discord and YouTube.
The attackers delivered the GodLoader malware through a malware Distribution-as-a-Service (DaaS). It masks its activities using seemingly legitimate GitHub repositories.
GodLoader malware targets gaming platforms
Between September and October 2024, over 200 repositories were used. They were controlled by more than 225 Stargazer Ghost accounts. The repositories were used to deploy the malware.
It exploited victims’ trust in open-source platforms and seemingly legitimate software repositories. Check Point detected four separate attack waves between September 12 and October 3. The waves enticed developers and gamers to download infected tools and games.
While Check Point only discovered GodLoader samples targeting Windows systems, they developed GDScript proof-of-concept exploit code. It showed how easily the malware could be adapted to attack Linux and macOS systems. The threat actor behind the Stargazers Ghost Network DaaS platform has been active since at least August 2022.
It was first observed promoting this malware distribution service on the dark web in June 2023. It has reportedly earned over $100,000 since its launch. The network uses over 3,000 “ghost” accounts on GitHub.
It creates hundreds of repositories that can be used to deliver malware. The malware is mainly information stealers like RedLine and Lumma Stealer. Rémi Verschelde, a maintainer and security team member of the Godot Engine, issued a statement.
It was in response to the Check Point Research report:
“As the report states, the vulnerability is not specific to Godot. The Godot Engine is a programming system with a scripting language, similar to Python or Ruby. Malicious programs can be written in any programming language.
Users who merely have the Godot game or editor installed on their system are not specifically at risk. We encourage people to execute software only from trusted sources.”
Verschelde noted that Godot does not register a file handler for “.pck” files. This requires a malicious actor to ship the Godot runtime together with a .pck file.
It makes creating a “one click exploit” challenging, especially due to the runtime size. Users are advised to be cautious and only download software from trusted sources. This is to avoid falling victim to these sophisticated malware attacks.