Gh0st RAT-based GodRAT attacks financial organizations

SUMMARY :

A newly identified Remote Access Trojan named GodRAT, based on the Gh0st RAT codebase, has been targeting financial firms since September 2024. The attackers distribute malicious .scr files via Skype, using steganography to embed shellcode in images. GodRAT supports plugins and is used alongside browser password stealers and AsyncRAT. The campaign, likely an evolution of the AwesomePuppet RAT connected to Winnti APT, remains active as of August 2025. Targets include organizations in Hong Kong, United Arab Emirates, Lebanon, Malaysia, and Jordan. The attackers employ various techniques to evade detection and maintain persistent access to compromised systems.

OPENCTI LABELS :

asyncrat,steganography,gh0st rat,financial-sector,godrat,password-stealer,awesomepuppet,ms edge password stealer,skype,chrome password stealer


AI COMMENTARY :

1. Introduction to GodRAT Based on extensive analysis of the Gh0st RAT codebase, researchers have uncovered a sophisticated new Remote Access Trojan dubbed GodRAT that has been targeting the financial sector since September 2024. This revelation highlights a persistent campaign aimed at compromising banks, investment firms, and fintech companies through advanced evasion techniques and multi-stage payload delivery. GodRAT represents a convergence of tried-and-tested malware methods with modern steganography and password-stealing capabilities, raising the stakes for security teams in the financial industry.

2. Attack Vector and Initial Infection The primary infection vector for GodRAT involves the distribution of malicious .scr files over the Skype messaging platform. Attackers send seemingly innocuous image files that carry hidden shellcode inserted via steganography. Once a victim clicks on the .scr attachment, the embedded shellcode is extracted and executed, triggering the deployment of the GodRAT payload. Leveraging Skype ensures that malicious files can reach targets disguised as personal messages, bypassing some enterprise email filters.

3. Technical Architecture and Plugin Support GodRAT’s core architecture inherits the modular design of Gh0st RAT, enabling the use of dynamically loaded plugins. These plugins extend the RAT’s functionality by providing capabilities such as keylogging, screen capture, file exfiltration, and remote command execution. The malware communicates with its command and control servers using encrypted channels, making network detection more challenging. Its modular nature also allows attackers to tailor their toolkit with additional features like the AsyncRAT implant for extra redundancy.

4. Integration with Password-Stealing Tools In parallel with the GodRAT implant, the threat actors deploy specialized password-stealer plugins for popular browsers such as Microsoft Edge and Chrome. By harvesting stored credentials, they gain easy access to online banking portals, administrative consoles, and corporate VPN accounts. The attackers also utilize standalone password stealer utilities to complement the RAT’s espionage capabilities, maximizing data collection from compromised hosts within the financial-sector environment.

5. Evolution from AwesomePuppet and Winnti APT Threat intelligence points to an evolution of the AwesomePuppet RAT, a malware lineage linked to the Winnti APT group. This connection suggests that GodRAT’s developers are leveraging prior infrastructure and operational knowledge to scale their campaign. The reuse of domains, similar C2 communication patterns, and shared encryption routines imply that the same threat cluster is responsible for both AwesomePuppet and the current GodRAT operations.

6. Target Profiles and Geographic Spread The GodRAT campaign has primarily focused on organizations in Hong Kong, the United Arab Emirates, Lebanon, Malaysia, and Jordan. Targets include banks, payment processors, trading platforms, and financial services consultancies. Attackers carefully select high-value victims within these regions, reflecting both geopolitical interests and the lucrative opportunities presented by emerging financial hubs in Asia and the Middle East.

7. Evasion Strategies and Persistence To avoid detection, GodRAT employs several evasion techniques such as process hollowing, rootkit-style driver loading, and fileless execution. The malware maintains persistence through registry modifications and scheduled tasks, ensuring it survives system reboots. Its steganography-based deployment also complicates static signature detection, while encrypted C2 communications hinder network-based anomaly scanning.

8. Implications for Financial-Sector Security The deployment of GodRAT alongside asyncrat components and multiple password stealers highlights a sophisticated multi-pronged strategy against financial institutions. Security teams must consider both endpoint and network defenses to counter steganographic payloads and encrypted C2 channels. The use of Skype for initial delivery underscores the need for robust messaging security policies across all communication platforms.

9. Mitigation and Defense Recommendations Effective defense against GodRAT requires a layered approach. Implementing advanced email and messaging filters can block malicious .scr files delivered via Skype. Endpoint detection tools should be configured to detect uncommon process behavior and driver loading. Regularly auditing browser-stored credentials and applying multi-factor authentication will limit the impact of chrome password stealer and ms edge password stealer plugins. Threat hunting teams should monitor for indicators of steganography and investigate unusual image file requests.

10. Conclusion As GodRAT continues its global campaign targeting the financial sector, organizations must remain vigilant and adapt their security controls to counter evolving RAT threats. By understanding the malware’s steganography deployment, plugin ecosystem, and connections to AwesomePuppet, defenders can better anticipate attacker tactics. Proactive threat intelligence sharing and continuous monitoring are essential to protect critical financial infrastructure from this persistent adversary.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Gh0st RAT-based GodRAT attacks financial organizations