Check Point Research has discovered that cybercriminals are exploiting the popular Godot Engine to spread malware, bypassing detection by nearly all antivirus solutions. The new technique uses Godot’s scripting language, GDScript, to deliver malicious payloads through a loader dubbed “GodLoader,” which has infected over 17,000 devices since June 2024.
New Threat Vector in Gaming Development
Godot Engine, an open-source platform for developing 2D and 3D games, is known for its flexibility and multi-platform capabilities. Its scripting language, GDScript, has become a tool for threat actors to execute malicious commands. Check Point says this method remains undetected by most antivirus engines, posing a clear and present danger to the engine’s 1.2 million users.
The malware identified in this scheme is GodLoader, which takes advantage of Godot’s ability to load external content, such as game assets and scripts, through .pck files. Once executed, these files can run malicious GDScript code to download and deploy additional malware.
The Role of the Stargazers Ghost Network
The malware’s distribution is linked to the Stargazers Ghost Network, a GitHub-based “Malware-as-a-Service” (MaaS) operation. Between September and October 2024, the network leveraged 200 repositories and over 225 accounts to make malicious repositories appear legitimate. These repositories were released in four waves, targeting developers and gamers.
The distribution strategy involved starring repositories to boost visibility and using automated GitHub actions to maintain the appearance of active development. The most recent wave of attacks occurred on 3 October 2024, using files named “Launcherkks.exe” and “Launcherkks.pck.”
A Cross-Platform Threat
Godot’s cross-platform capabilities allow the malware to target devices running Windows, macOS, Linux, Android, and potentially iOS. Check Point demonstrated successful payload deployments on Linux and macOS, highlighting the malware’s adaptability.
While Android loaders require modifications, iOS loaders face challenges due to Apple’s stringent app store policies. Despite these limitations, the malware’s flexibility poses a considerable risk across multiple operating systems.
Technical Breakdown of the Attack
GodLoader takes advantage of Godot’s ability to execute GDScript through .pck files, which can be embedded or loaded externally. The loader decrypts and runs the scripts, which often include sandbox-evasion techniques and commands to disable Microsoft Defender. The script then downloads additional payloads hosted on legitimate platforms like Bitbucket.
One evasion technique with mentioning involves checking system hardware and free disk space to detect virtual environments. If the malware detects a sandbox, it aborts execution, making it difficult for analysts to study its behavior.
The Evolution of GodLoader
Since its discovery, GodLoader has undergone several modifications to enhance its stealth and functionality. Early versions embedded the .pck file within the executable, while later variants used external files and added encryption. The malware has also incorporated multi-threading and improved evasion techniques over time.
Check Point traced the earliest variant of GodLoader to 29 June 2024. Subsequent updates in July and August introduced new features, such as sandbox checks and resource restructuring. Despite these changes, the malware has remained largely undetected, highlighting its sophistication.
Broader Implications and Risks
GodLoader’s ability to exploit a legitimate development tool like Godot underscores a growing trend in malware innovation. By targeting open-source platforms, cybercriminals can reach a broader audience and bypass traditional security measures. The multi-platform nature of GodLoader further complicates detection and mitigation efforts.
Check Point warns that users of Godot-developed games and developers must remain vigilant. The attack’s success highlights the need for stronger security practices within the game development community.
“To mitigate the risks of threats like GodLoader, it is essential to keep operating systems and applications updated through timely patches and other means. Individuals should exercise caution when dealing with unexpected emails or messages containing links, particularly from unknown senders. Enhancing cybersecurity awareness among employees is also crucial, as it helps create a more vigilant workforce. Lastly, consulting security specialists for any doubts or uncertainties can provide valuable expertise and guidance in navigating potential security challenges,” Check Point concluded.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.