GodRAT Trojan
Cybercriminals are once again targeting financial organizations, with trading and brokerage firms in the crosshairs of a campaign delivering a previously unknown remote access trojan (RAT) named GodRAT. The attack spreads through malicious .SCR files disguised as financial documents, shared via Skype messenger.
Table of Contents
Hidden Payloads Through Steganography
Recent investigations show that the attackers are using steganography to conceal shellcode within image files. These hidden instructions trigger the download of GodRAT from a Command-and-Control (C2) server. Evidence suggests the campaign has been ongoing since September 9, 2024, with activity recorded as recently as August 12, 2025. Regions affected include Hong Kong, the UAE, Lebanon, Malaysia, and Jordan.
From Gh0st RAT to GodRAT
GodRAT is considered a modern evolution of Gh0st RAT, a trojan whose source code leaked in 2008 and has since been adopted widely by Chinese threat groups. Similarities have also been found with AwesomePuppet, another Gh0st RAT derivative exposed in 2023 and attributed to the prolific group Winnti (APT41).
The malware is designed with a plugin-based structure, enabling it to harvest sensitive information and deploy additional payloads such as AsyncRAT.
Infection Chain and Technical Breakdown
The attack begins with .SCR files acting as self-extracting executables. These files contain multiple embedded components, including a malicious DLL sideloaded through a legitimate executable. This DLL retrieves shellcode hidden in a .JPG image, which ultimately enables the deployment of GodRAT.
Once active, the trojan connects to its C2 server via TCP, gathering system data and details on installed antivirus tools. After transmitting this information, the C2 server issues commands. These instructions allow the malware to:
- Inject a received plugin DLL into memory.
- Terminate its process after closing the socket.
- Download and execute files using the CreateProcessA API.
- Open specific URLs through Internet Explorer commands
Expanding Capabilities with Plugins
One notable plugin, FileManager DLL, grants attackers broad control over the victim’s system. It enables file searches, manipulation, and folder browsing while also serving as a delivery tool for secondary malware. Confirmed payloads include:
- A password stealer targeting Chrome and Edge browsers
- The AsyncRAT trojan for further exploitation
GodRAT Builder and Payload Options
Researchers uncovered the GodRAT builder and full client source code, revealing its adaptability. The builder allows attackers to generate either executables or DLLs. If the executable route is chosen, users may select legitimate binaries for code injection, including svchost.exe, cmd.exe, cscript.exe, curl.exe, wscript.exe, QQMusic.exe, and QQScLauncher.exe.
The resulting payloads may be saved in various formats, including .exe, .com, .bat, .scr, and .pif.
Legacy Code, Modern Threat
The discovery of GodRAT highlights how legacy implants like Gh0st RAT—first introduced nearly two decades ago, still pose major risks today. Constant adaptation and repurposing allow attackers to keep these tools relevant, ensuring their long-term survival in the cybersecurity landscape. GodRAT serves as a reminder that even old malware codebases remain powerful weapons when placed in the hands of skilled adversaries.
