GodRAT malware distribution methods

Threat actors are deploying a new Remote Access Trojan (RAT) called GodRAT, derived from the Gh0st RAT codebase, to infiltrate financial institutions, particularly trading and brokerage firms. The malware is distributed via Skype as malicious .scr (screensaver) and .pif (Program Information File) executables disguised as legitimate financial documents, such as client lists or transaction data.

GodRAT malware distribution methodsGodRAT malware distribution methods

Evolution of Gh0st RAT GodRAT is an evolution of the AwesomePuppet backdoor reported in 2023, sharing code and distribution methods, and is likely linked to the Winnti APT group. Attackers use steganography to hide shellcode within image files, which then downloads the RAT from a Command-and-Control (C2) server.

GodRAT malware distribution methodsGodRAT malware distribution methods

Once deployed, GodRAT supports plugin-based extensions, including a FileManager plugin for reconnaissance and secondary payloads like browser password stealers and AsyncRAT for persistent access. As of August 12, 2025, the campaign has been detected in regions including Hong Kong, the UAE, Lebanon, Malaysia, and Jordan, indicating a focus on Middle Eastern and Asian financial entities.

NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security