FlagThis

Cybersecurity researchers at Check Point have uncovered a novel malware delivery method exploiting the popular Godot game engine. The GodLoader malware uses malicious GDScript code embedded within .pck files—files that package game assets—to execute commands and deliver further malware payloads. This technique has proven highly effective at evading detection by most antivirus engines, resulting in over 17,000 infections across Windows, macOS, Linux, Android, and iOS since June 2024. The wide platform compatibility of Godot and the ability to hide malicious code within seemingly legitimate game assets makes this a particularly dangerous development.

The attackers utilize a network of compromised GitHub accounts, dubbed the "Stargazers Ghost Network," to distribute the malicious .pck files. These accounts use tactics to make the repositories distributing GodLoader seem legitimate, increasing the likelihood that unsuspecting users will download and run the infected files. The sheer scale of the operation, with approximately 200 repositories and over 225 ghost accounts, highlights the sophistication and resources dedicated to this malware campaign. The researchers have demonstrated how this technique can successfully deploy payloads on Linux and MacOS systems, expanding the potential reach of the attack to millions of users.

This GodLoader campaign underscores the increasing creativity of cybercriminals in weaponizing seemingly benign software and leveraging open-source platforms to distribute malware. The use of Godot’s GDScript to execute malicious commands, coupled with the deceptive distribution network on GitHub, showcases a new and concerning trend in malware delivery. This highlights the urgent need for developers and users to exercise caution when downloading and running scripts from untrusted sources, particularly those involving popular game development platforms and open-source repositories. The near-universal failure of antivirus engines to detect this threat reinforces the importance of multi-layered security measures and proactive threat intelligence.

ImgSrc: research.checkpoint.com

References:

• Malware Analysis, News and Indicators - Details about the malware and its distribution network. - 28d
• Check Point Research - Technical analysis of the new malware delivery technique. - 28d
• github.com - Github repository for GodotDec. - 28d
• research.checkpoint.com - Check Point Research blog post on the Godot Engine malware. - 28d
• @screaminggoat - Infosec.exchange discusses the GodLoader attack using crafted GDScript within the Godot game engine. - 26d
• @VirusBulletin - Infosec.exchange highlights Check Point's research on GodLoader's exploitation of the Godot engine. - 26d
• Over Security - BleepingComputer reports on the GodLoader infection of thousands of gamers using Godot scripts. - 26d
• @infosecnews.bsky.social - Hackers exploit the Godot game engine to spread new GodLoader malware, infecting 17,000+ systems across platforms - 26d
• The Hacker News - The Hacker News reports on cybercriminals exploiting the Godot game engine to spread malware. - 26d
• @arstechnica - Mastodon post highlighting the GodLoader malware campaign using Godot Engine. - 26d
• Ars Technica - Ars Technica mentions the discovery of this malware campaign that uses Godot Engine to distribute malware. - 26d
• Information Security Buzz - Godot Gaming Engine Exploited to Spread Undetectable Malware - 25d
• Malware Analysis, News and Indicators - Check Point Research has a novel method by which cybercriminals exploit the Godot Engine—a popular open-source game development platform—to execute malicious GDScript code. - 23d
• www.cysecurity.news - Godot Game Engine Targeted in Widespread Malware Attack - 23d

Classification:

• HashTags: GodotEngine GodLoader MalwareLoader
• Company: Godot Engine
• Target: Godot Engine users
• Attacker:
• Product: Godot Engine
• Feature: GDScript
• Type: Malware
• Severity: Major