The new RAT is distributed via malicious .scr files disguised as financial documents. Until March 2025, the attackers sent them through Skype, but after it was shut down they switched to other channels.
Researchers at Kaspersky Lab have reported the discovery of a new remote access trojan dubbed GodRAT. According to their data, the malware mainly targets small and medium-sized businesses — primarily trading and brokerage companies — in the UAE, Hong Kong, Jordan, and Lebanon.
The GodRAT source code was spotted on a popular multi-scanner service, where it was uploaded back in July 2024. After infecting a device, the Trojan collects information about the operating system, local hostname, the malicious process name and its ID, the user account, and the installed security software.
Researchers note that GodRAT supports additional plugins. In the analyzed attack, the attackers used FileManager to examine infected systems and info-stealer programs to steal credentials from Chrome and Microsoft Edge. In addition to GodRAT, they deployed the AsyncRAT malware as a second implant to maintain a longer presence in the compromised system.
In addition to the detected trojan, the archive GodRAT V3.5_______dll.rar includes a builder for quickly assembling GodRAT. It allows you to choose which legitimate file to inject the malicious payload into. Furthermore, the attackers used steganography to hide shellcode in an image file with purported financial data.
“GodRAT is an evolved AwesomePuppet that we found in 2023 and that is likely linked to the Winnti cyber group. The linkage is suggested by its distribution methods, specific command-line parameters, code similarities to the well-known Gh0st RAT—which has been around for decades—and shared artifacts. Adversaries often customize and rework old implants to reach as many victims as possible. The discovered Trojan confirms that even long-standing tools can remain part of the modern cyberthreat landscape,” comments Leonid Bezvershenko, Senior Expert at Kaspersky GReAT.