Financial institutions like trading and brokerage firms are the target of a new campaign that delivers a previously unreported remote access trojan called GodRAT.
The malicious activity involves the “distribution of malicious .SCR (screen saver) files disguised as financial documents via Skype messenger,” Kaspersky researcher Saurabh Sharma said in a technical analysis published today.
The attacks, which have been active as recently as August 12, 2025, employ a technique called steganography to conceal within image files shellcode used to download the malware from a command-and-control (C2) server. The screen saver artifacts have been detected since September 9, 2024, targeting countries and territories like Hong Kong, the United Arab Emirates, Lebanon, Malaysia, and Jordan.
Assessed to be based on Gh0st RAT, GodRAT follows a plugin-based approach to augment its functionality in order to harvest sensitive information and deliver secondary payloads like AsyncRAT. It’s worth mentioning that Gh0st RAT had its source code leaked publicly in 2008 and has since been adopted by various Chinese hacking groups.
The Russian cybersecurity company said the malware is an evolution of another Gh0st RAT-based backdoor known as AwesomePuppet that was first documented in 2023 and is likely believed to be the handiwork of the prolific Chinese threat actor, Winnti (aka APT41).
The screen saver files act as a self-extracting executable incorporating various embedded files, including a malicious DLL that’s sideloaded by a legitimate executable. The DLL extracts shellcode hidden within a .JPG image file that then paves the way for the deployment of GodRAT.
The trojan, for its part, establishes communication with the C2 server over TCP, collects system information, and pulls the list of installed antivirus software on the host. The captured details are sent to the C2 server, after which the server responds with follow-up instructions that allow it to –
- Inject a received plugin DLL into memory
- Close the socket and terminate the RAT process
- Download a file from a provided URL and launch it using the CreateProcessA API
- Open a given URL using the shell command for opening Internet Explorer
One of the plugins downloaded by the malware is a FileManager DLL that can enumerate the file system, perform file operations, open folders, and even run searches for files at a specified location. The plugin has also been used to deliver additional payloads, such as a password stealer for Google Chrome and Microsoft Edge browsers and the AsyncRAT trojan.
Kaspersky said it discovered the complete source code for the GodRAT client and builder that was uploaded to the VirusTotal online malware scanner in late July 2024. The builder can be used to generate either an executable file or a DLL.
When the executable option is chosen, users have the choice of selecting a legitimate binary from a list to which the malicious code is injected into: svchost.exe, cmd.exe, cscript.exe, curl.exe, wscript.exe, QQMusic.exe and QQScLauncher.exe. The final payload can be saved with one of the following file types: .exe, .com, .bat, .scr, and .pif.
“Old implant codebases, such as Gh0st RAT, which are nearly two decades old, continue to be used today,” Kaspersky said. “These are often customized and rebuilt to target a wide range of victims.”
“These old implants are known to have been used by various threat actors for a long time, and the GodRAT discovery demonstrates that legacy codebases like Gh0st RAT can still maintain a long lifespan in the cybersecurity landscape.”
