The new RAT is distributed via malicious .scr files disguised as financial documents. Until March 2025, the attackers sent them through Skype, but after it was shut down they switched to other channels.
Researchers at Kaspersky Lab have reported the discovery of a new remote access trojan dubbed GodRAT. According to their data, the malware mainly targets small and medium-sized businesses — primarily trading and brokerage companies — in the UAE, Hong Kong, Jordan, and Lebanon.
The GodRAT source code was spotted on a popular multi-scanner service, where it was uploaded back in July 2024. After infecting a device, the Trojan collects information about the operating system, local hostname, the malicious process name and its ID, the user account, and the installed security software.
Researchers note that GodRAT supports additional plugins. In the analyzed attack, the attackers used FileManager to examine infected systems and info-stealer programs to steal credentials from Chrome and Microsoft Edge. In addition to GodRAT, they deployed the AsyncRAT malware as a second implant to maintain a longer presence in the compromised system.
In addition to the detected trojan, the archive GodRAT V3.5_______dll.rar includes a builder for quickly assembling GodRAT. It allows you to choose which legitimate file to inject the malicious payload into. Furthermore, the attackers used steganography to hide shellcode in an image file with purported financial data.
“GodRAT is an evolved AwesomePuppet that we found in 2023 and that is likely linked to the Winnti cyber group. The linkage is suggested by its distribution methods, specific command-line parameters, code similarities to the well-known Gh0st RAT—which has been around for decades—and shared artifacts. Adversaries often customize and rework old implants to reach as many victims as possible. The discovered Trojan confirms that even long-standing tools can remain part of the modern cyberthreat landscape,” comments Leonid Bezvershenko, Senior Expert at Kaspersky GReAT.
Â
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet
All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…
Full article →
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers
Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…
Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update
Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…
Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage
According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →