Cybercriminals have developed an innovative approach to covertly deliver malware across various operating systems and platforms by creating a malware loader using the Godot Engine, an open-source game development tool. This malware loader, dubbed GodLoader, is distributed via the Stargazers Ghost Network, a sophisticated network of GitHub accounts and repositories that offer malware distribution as a service. This development poses a significant threat to developers and gamers alike, highlighting the ever-evolving nature of cyber threats in the digital age.
The Godot Engine’s Exploitation Method
The Role of GDScript in the Attack
Check Point researchers revealed that over 17,000 machines have been infected by GodLoader so far, posing substantial risks, particularly for developers. Developers frequently use open-source platforms like Godot Engine for game development, which could inadvertently incorporate malicious code into their projects. Gamers are also at risk when downloading games potentially crafted with compromised tools. With over 1.2 million users of Godot-developed games, the threat from malicious scripts loaded through legitimate Godot executables is considerable. The Godot Engine supports various programming languages, including GDScript, which the threat actors used to craft the malicious code.
The Godot Engine’s exploitation primarily relies on .pck files that bundle game assets for distribution. These .pck files are essential for distributing game content, and when loaded, the malicious GDScript can be executed via built-in callback functions. This provides an entry point for attackers to download additional malware or execute remote payloads while staying concealed. GDScript’s fully functional language capabilities enable threat actors to incorporate anti-sandbox, anti-virtual machine measures, and remote payload execution, keeping the malware hidden. This covert operation allows attackers to bypass traditional security measures, making detection and prevention increasingly challenging.
Cross-Platform Threat and Proof-of-Concept
Researchers initially discovered GodLoader operating on Windows machines, but they have also demonstrated proof-of-concept loaders on macOS and Linux, confirming the feasibility and ease of these attacks across multiple platforms. An Android loader is a potential adaptation with necessary modifications, although an iOS loader remains unlikely due to Apple’s stringent App Store policies. This cross-platform threat broadens the attack surface, making virtually any system running Godot-developed applications vulnerable to exploitation.
GodLoader’s primary distribution method utilizes the Stargazers Ghost Network, which leverages a vast network of ghost accounts to disseminate various types of malware. These ghost accounts help ensure the malware’s long-term survival by targeting developers and gamers who typically search GitHub for packages and cheats. Approximately 200 repositories and over 225 Stargazer Ghost accounts were utilized for GodLoader’s distribution. Victims often believed they were downloading cracked software or key generators, but instead received GodLoader, which subsequently installed either the XMRig cryptocurrency miner or the RedLine infostealer hosted on bitbucket.org.
Distribution and Long-Term Survival
Stargazers Ghost Network’s Role in Distribution
The Stargazers Ghost Network has been a vital component in the distribution of GodLoader. Leveraging a network of ghost accounts, this sophisticated network distributes various malware types, ensuring the long-term survival of the malware while targeting developers and gamers who often search GitHub for useful packages, tools, and cheats. By tapping into this resource pool, cybercriminals can effectively spread their malicious code to a broad audience with minimal direct intervention, relying on the users’ trust in open-source platforms and repositories.
Approximately 200 repositories and over 225 Stargazer Ghost accounts have been utilized for GodLoader’s distribution. Victims frequently believed they were downloading cracked software or key generators, but instead received GodLoader, which subsequently installed either the XMRig cryptocurrency miner or the RedLine infostealer hosted on bitbucket.org. The scheme has been operational since at least June 29, 2024, with GodLoader evading detection by most antivirus tools. The combination of a targeted distribution method through a trusted platform and a discreet, undetected technique has resulted in remarkably high infection rates.
Evasion of Detection and Antivirus Shortcomings
Cybercriminals have developed a novel technique to discreetly distribute malware across different operating systems and platforms by leveraging the Godot Engine, an open-source game development tool, to create a malware loader known as GodLoader. This malicious tool is spread through the Stargazers Ghost Network, a sophisticated network comprised of various GitHub accounts and repositories that provide malware distribution as a service. This cutting-edge approach underscores the ongoing evolution of cyber threats, posing serious risks not only to developers and gamers but also to a broader range of technology users. The use of the Godot Engine for such nefarious activities is particularly alarming, as it highlights the potential for traditionally benign tools to be weaponized. As the digital landscape continues to change, the need for vigilance and robust cybersecurity measures becomes increasingly critical to safeguard against such emerging threats. This case exemplifies the constant innovation in cybercrime tactics and calls for greater awareness and preparedness among all stakeholders in the digital realm.
