Introduction

The emergence of GodLoader, a newly discovered malware loader [3], highlights significant cybersecurity threats due to its ability to stealthily infect devices across multiple operating systems. This advanced malware leverages the Godot Engine’s capabilities to execute harmful scripts, posing a substantial risk to users worldwide.

Description

A newly discovered malware loader [3], known as GodLoader [4] [5] [7] [10], poses significant threats to cybersecurity by stealthily infecting devices across multiple operating systems [3], including Windows [3] [4] [8], macOS [1] [3] [4] [5] [6] [8] [10], Linux [1] [3] [4] [5] [6] [8] [10], Android [3] [4] [8] [10], and iOS [3] [4] [8] [10]. This advanced malware [3], written in GDScript—the programming language of the Godot Engine [11], an open-source platform recognized for its versatility in creating 2D and 3D games—executes harmful scripts embedded within game asset files while evading most antivirus detection systems. GodLoader exploits the Godot Engine’s capabilities to deliver and execute malicious payloads, taking advantage of the language’s flexibility designed for game development [3].

Since its emergence in June 2024, GodLoader has reportedly compromised over 17,000 systems globally within just three months. It is distributed through the Stargazers Ghost Network [3] [4] [6] [7] [10], a sophisticated “Malware-as-a-Service” operation hosted on GitHub [3], utilizing a Distribution-as-a-Service (DaaS) model via approximately 200 repositories and over 225 accounts that artificially enhance the visibility of these malicious resources. This strategy creates a facade of legitimacy, enticing users [4], particularly developers and gamers [2] [4], to download compromised software [4], often disguised as game updates [1], mods [1] [3] [11], or downloadable content [1]. Between September and October 2024 [3] [4] [7], victims [8] [10], believing they are downloading cheats [7] [9] [10], cracked software [10], or key generators [10], instead execute the malware loader [7] [9], which can install either the XMRig cryptocurrency miner or the notorious RedLine infostealer [10], known for stealing sensitive information [11], including passwords and cryptocurrency wallet details [11]. The infection chain begins with downloading a seemingly harmless archive containing executable files and pck resources [3]. Once executed, the malware decrypts the pck file [3], runs malicious GDScripts [3] [7], and downloads additional payloads from external servers [3], including Bitbucket repositories [5].

GodLoader employs advanced evasion techniques [3], including anti-sandboxing and anti-virtual machine checks [3], to avoid detection. It modifies Microsoft Defender Antivirus settings to exclude the entire C:\ drive [5], ensuring persistence on infected systems [5]. The malware’s ability to remain undetected by most antivirus engines enhances its danger [3], with some infected archives reportedly downloaded over 17,000 times without triggering security alerts [3]. Notably, the Godot Engine does not automatically handle pck files [8], meaning that a malicious actor must always include the Godot runtime (exe file) alongside the pck file [6] [9]. This requirement complicates widespread exploitation compared to one-click malware [8], as victims must manually unpack and execute the files.

The potential impact of GodLoader extends to over 1.2 million users of games developed with Godot [10], as attackers exploit legitimate Godot executables to execute harmful scripts [10]. The cross-platform functionality of GodLoader is particularly concerning [3], as the Godot Engine allows developers to export projects to various platforms with minimal modifications [3]. Initial samples have demonstrated payload delivery on Windows [3], while proof-of-concept attacks have shown similar techniques applicable to macOS and Linux [3]. Although an Android version is not fully developed [3], researchers believe it is feasible [3], and deployment on iOS faces challenges due to Apple’s strict App Store policies but remains a potential risk [3].

Good security practices are recommended [9], including downloading software from official project websites or trusted distribution platforms like Steam and the Apple Store [9]. Users should verify the identity of contacts before executing software [9], especially in cases where accounts may have been compromised [9]. A common attack vector involves hacked Discord accounts sending malicious downloads to friends [9]. Users who downloaded Godot games or the editor from reliable sources are not at risk [9], emphasizing the importance of executing software only from trusted sources.

Check Point Research has confirmed that the attack vector does not expose a vulnerability in the Godot Engine or its users [9]. For reporting security vulnerabilities or concerns [9], users are encouraged to contact the designated email address [9]. The emergence of GodLoader exemplifies a new frontier in cross-platform malware development, exploiting trust in open-source tools like the Godot Engine and underscoring the increasing sophistication of cyber threats, necessitating vigilance and proactive security measures to mitigate risks associated with such multi-platform malware [3].

Conclusion

The discovery of GodLoader underscores the evolving landscape of cybersecurity threats, particularly those exploiting open-source platforms. Its cross-platform capabilities and sophisticated evasion techniques highlight the need for enhanced vigilance and robust security practices. Users are urged to download software from trusted sources and verify the authenticity of contacts to mitigate risks. As cyber threats continue to grow in complexity, proactive measures and awareness are crucial in safeguarding against such multi-platform malware.

References

[1] https://content.techgig.com/it-security/how-godloader-malware-threat-is-targeting-over-1-2-million-gamers/articleshow/115767690.cms
[2] https://www.cyware.com/resources/threat-briefings/daily-threat-briefing/cyware-daily-threat-intelligence-november-28-2024
[3] https://cybersecuritynews.com/godloader-malware-multiple-platform/
[4] https://blog.checkpoint.com/research/the-exploitation-of-gaming-engines-a-new-dimension-in-cybercrime/
[5] https://cybermaterial.com/criminals-use-godot-engine-to-spread-malware/
[6] https://www.techworm.net/2024/11/hacker-exploit-godot-game-engine-malware.html
[7] https://www.infosecurity-magazine.com/news/godloader-malware-infects/
[8] https://www.blackhatethicalhacking.com/news/hackers-exploit-godot-game-engine-with-new-malware-infecting-17000-systems-in-3-months/
[9] https://godotengine.org/article/statement-on-godloader-malware-loader/
[10] https://www.helpnetsecurity.com/2024/11/27/godot-engine-malware-loader-godloader/
[11] https://www.techradar.com/pro/security/top-gaming-engine-godot-hijacked-to-infect-thousands-of-pcs-with-malware