Check Point Research uncovered a new technique exploiting the Godot Engine to execute malicious GDScript code, remaining undetected by most antivirus tools. The technique has been used since June 2024, potentially infecting over 17,000 machines. A loader called GodLoader employs this method and is distributed via the Stargazers Ghost Network on GitHub. The technique allows cross-platform targeting of Windows, macOS, Linux, Android, and iOS devices. Researchers demonstrated successful payload drops on Linux and MacOS. This approach could potentially target over 1.2 million users of Godot-developed games through malicious mods or downloadable content. Author: AlienVault
Related Tags:
stargazers ghost network
cross-platform
undetected technique
gdscript
godot engine
GodLoader
gaming
XMRig
T1129
Associated Indicators:
B1A351EE61443B8558934DCA6B2FA9EFB0A6D2D18BAE61ACE5A761596604DBFA
604FA32B76DBE266DA3979B7A49E3100301DA56F0B58C13041AB5FEBE55354D2
1FED80A136E67A5B7B6846010A5853400886EE9C
9687E3B7CA67BAF2A82F76919D2B254DEDC1E762
9BD3FECFB842B3D4D7F02500E78211B2
61D3ABFF46A6BD2946925542C7D30397
480C9CE7B6F60AA42E9A5886DA844B67
7C91EFBCAA02854D951AC79000B77017
639864B85BD3EC6D8BB00F7E08D145D9