Description
Cybercriminals have leveraged the popular open-source Godot game engine to distribute malware through a new tool called GodLoader. This malware, active since mid-2024, exploits Godot’s GDScript scripting language to bypass traditional antivirus systems and infect over 17,000 systems across multiple platforms, including Windows, macOS, and Linux. The attacks have primarily targeted gamers and developers by embedding malicious code in game asset files.
Attack Details
Hackers have weaponized Godot’s .pck files to embed malicious scripts, enabling the execution of harmful code upon unpacking. This exploit was facilitated through the Stargazers Ghost Network, a malware Distribution-as-a-Service (DaaS) platform. Leveraging over 3,000 GitHub ghost accounts, the attackers created a vast network of repositories to host and distribute the malware, misleading users into downloading compromised tools and games. Between September and October 2024, the GodLoader malware campaign targeted thousands globally through over 200 fake repositories, exploiting trust in open-source platforms.
Once deployed, the malware enabled attackers to steal sensitive credentials and deliver additional payloads, such as the XMRig cryptocurrency miner. These configurations were hosted on Pastebin, where they garnered over 200,000 visits during the campaign. The Stargazer Goblin group, active since 2022, is behind this operation, earning over $100,000 by promoting GodLoader through their DaaS services. Their actions highlight the growing sophistication and monetization of cybercrime using trusted development platforms.
Indicators of Compromise (IOCs)
Remediation
The Godot Engine security team has clarified that the vulnerability is not inherent to Godot but rather the misuse of its open-source capabilities. As a programming tool, malicious use is similar to exploits seen in other scripting platforms like Python or Ruby. Proper vigilance and adherence to best practices can mitigate the risks associated with this attack.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Hackers Exploit Godot Game Engine to Deploy GodLoader Malware
References