Essential Insights
-
New Malware Targeting Financial Firms: A new remote access trojan named GodRAT, based on Gh0st RAT, is targeting trading and brokerage companies through disguised malicious files sent via Skype.
-
Stealthy Distribution Mechanism: GodRAT uses steganography to conceal shellcode in image files, allowing it to download from a command-and-control server without detection.
-
Plugin-based Functionality: The trojan employs a plugin structure for enhanced capabilities, including gathering system info and delivering secondary threats like AsyncRAT and password stealers.
- Legacy Code Resilience: Despite being nearly two decades old, the Gh0st RAT codebase continues to be adapted and used by various threat actors, demonstrating the longevity of legacy malware in modern cyber threats.
Emerging Threat in Financial Sector
A new cyber threat known as GodRAT is targeting trading and brokerage firms. Recent reports indicate attackers use steganography to conceal malware within image files, disguised as legitimate financial documents. The method involves distributing .SCR screen saver files via popular messaging platforms like Skype. This approach has gained traction, with detections in several regions, including Hong Kong and the UAE. The attacks began in September 2024 and have become increasingly active, with new campaigns surfacing as recently as August 12, 2025. Researchers highlight that the malware leverages a plugin system to collect sensitive information and deploy secondary threats, including AsyncRAT.
Additionally, GodRAT appears to be rooted in the older Gh0st RAT code, which gained notoriety after its source was leaked in 2008. Since then, various hacking groups have adapted it for their own uses, showcasing the durability and adaptability of this malware. By integrating features from different versions, GodRAT enhances its capabilities. Notably, it communicates with a command-and-control server to gather system information, identify antivirus software, and execute follow-up instructions.
Continuing Evolution of Cyber Attacks
Experts from cybersecurity firms emphasize the ongoing threat posed by legacy code in modern cyber attacks. GodRAT’s reliance on Gh0st RAT shows how old frameworks persist, often customized for new attacks. The trojan can load malicious plugins to perform various tasks, such as file management and even pilfering passwords from popular web browsers.
The ability of GodRAT to adapt makes it particularly concerning for financial institutions. As the malware executes commands from the remote server, it poses a significant risk to sensitive financial data. Furthermore, the public release of its source code has made it accessible for further exploitation. Organizations must remain vigilant and employ rigorous cybersecurity measures to counteract these evolving threats. The cycle of adaptation in cybercrime continues, underscoring the necessity for heightened awareness and improved defenses in the digital landscape.
Continue Your Tech Journey
Learn how the Internet of Things (IoT) is transforming everyday life.
Stay inspired by the vast knowledge available on Wikipedia.
DataProtection-V1
