Full Report
A popular open-source game engine called Godot Engine is being misused as part of a new GodLoader malware campaign, infecting over 17,000 systems since at least June 2024. "Cybercriminals have been taking advantage of Godot Engine to execute crafted GDScript code which triggers malicious commands and delivers malware," Check Point said in a new analysis published Wednesday. "The technique
Analysis Summary
# Tool/Technique: GodLoader Campaign utilizing Godot Engine
## Overview
This summary describes a malware campaign where cybercriminals are exploiting the legitimate, open-source Godot Engine—a cross-platform game development environment—to distribute and execute the **GodLoader** malware. The technique allows adversaries to bypass common antivirus detection by embedding custom GDScript code within Godot Engine executables (.PCK files) to trigger malicious command execution and deliver further payloads.
## Technical Details
- Type: Malware Campaign / Delivery Mechanism
- Platform: Cross-platform (Leveraging Godot Engine's capabilities for Windows, macOS, Linux, Android, etc. - primary focus in the report is broad distribution).
- Capabilities: Initial execution via legitimate application container, delivery of secondary payloads, evasion of AV detection.
- First Seen: Infections observed since at least June 2024, with specific activity peaks noted in September and October 2024.
## MITRE ATT&CK Mapping
The core technique revolves around initial access and execution leveraging a trusted or legitimate binary/platform:
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise (Via malicious download/asset)
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File
- **T1218 - Signed Binary Proxy Execution** (Implied, using a legitimate engine's runtime/files to run code)
## Functionality
### Core Capabilities
- **Delivery Vector:** Utilizes the Godot Engine's executable format (pack or `.PCK` files) to host and execute malicious GDScript code.
- **Initial Execution:** The crafted GDScript triggers malicious commands upon execution within the Godot environment.
- **Distribution Network:** Leverages compromised infrastructure, including approximately 200 GitHub repositories and 225 bogus accounts associated with the **Stargazers Ghost Network**, to appear legitimate.
### Advanced Features
- **Payload Staging:** GodLoader downloads and executes final-stage payloads from an external repository (specifically mentioned is Bitbucket).
- **Evasion:** The technique achieved high evasion rates, being undetected by almost all antivirus engines on VirusTotal at the time of reporting.
- **Final Payloads:** Dropped malware includes commodity threats like **RedLine Stealer** and the **XMRig cryptocurrency miner**.
## Indicators of Compromise
*Note: Since the analysis focuses on the *technique* within the provided text, specific hashes/IPs are not detailed, but observed external components are listed.*
- File Hashes: [Not detailed in the provided text]
- File Names: `.PCK` files (Godot Engine Pack files) used for distribution.
- Registry Keys: [Not detailed in the provided text]
- Network Indicators: Final stage payloads (RedLine Stealer, XMRig) fetched from a **Bitbucket repository** (URL defanged).
- Behavioral Indicators: Execution of GDScript code within the context of a Godot Engine process, followed by network connections to download secondary malware.
## Associated Threat Actors
- Undetermined collective utilizing the **Stargazers Ghost Network** infrastructure for distribution management.
## Detection Methods
- Signature-based detection: Currently reported as mostly ineffective against the initial loader stage.
- Behavioral detection: Monitoring for unusual execution patterns within Godot Engine processes or the execution of GDScript within application files.
- YARA rules: [Not detailed in the provided text]
## Mitigation Strategies
- **Software Integrity:** Organizations should exercise caution when executing applications or assets distributed via non-official channels, especially those leveraging game engine runtimes or proprietary scripting languages.
- **Endpoint Security:** Employ advanced endpoint detection and response (EDR) solutions capable of monitoring script execution within legitimate application binaries (like game engines).
- **Network Monitoring:** Monitor outbound connections from expected application processes (like Godot Engine components) to unusual external repositories (like Bitbucket) for payload fetching.
## Related Tools/Techniques
- **GodLoader:** The specific malware loader being distributed.
- **RedLine Stealer:** A common information-stealing malware observed as a final payload.
- **XMRig:** A widely used cryptocurrency mining software observed as a final payload.