SUMMARY
- Cybercriminals are exploiting the Godot game engine to deliver malware called GodLoader, targeting multiple platforms like Windows, macOS, and Linux.
- GodLoader hides malicious code in game files, bypassing antivirus detection and compromising over 17,000 devices since June 2024.
- The malware uses sandbox evasion, Microsoft Defender exclusions, and GitHub-hosted repositories to distribute attacks.
- GodLoader’s payloads include RedLine Stealer and cryptocurrency miners, affecting 1.2 million Godot game users.
- The Godot team advises downloading software from trusted sources and avoiding cracked files to stay safe.
Check Point Research (CPR) has published its latest research on a novel multi-platform technique employed by cybercriminals to exploit the popular open-source game engine, Godot to deliver a newly discovered malicious payload dubbed GodLoader after bypassing traditional security measures.
The concerning aspect is GodLoader’s cross-platform functionality, making it effective on macOS, Windows, Linux, iOS, and Android. Although designed to target Windows, it can be used on Linux and macOS with minimal adjustments. The malware is, reportedly, distributed via the Stargazers Ghost Network on GitHub, using over 200 repositories and 225 accounts between September and October 2024.
“The threat actor behind this malware has been utilizing it since June 29, 2024, infecting over 17,000 machines,” and an attack can put 1.2 million users of Godot-developed games at risk, researchers noted in the blog post.
According to CPR’s research, cybercriminals exploit the flexibility of Godot’s scripting language, GDScript and embed malicious code within game assets, executing it when the game is launched. This is a stealthy approach, which enables attackers to bypass antivirus detection and compromise systems without raising alarms.
Further probing revealed that it uses sandbox and virtual machine detection, as well as Microsoft Defender exclusions, to avoid detection. The malware was hosted on Bitbucket.org and distributed across four attack waves, with initial payloads including RedLine Stealer and XMRig cryptocurrency miners.
For your information, Godot is a powerful tool for game development that allows developers to bundle game assets and scripts into .pck files, which contain the game’s resources, including images, sounds, and scripts. By injecting malicious GDScript code into these .pck files, attackers can trick the game engine into executing harmful commands.
As soon as the game loads the infected .pck file, the hidden script springs into action, downloading and deploying additional malware payloads onto the victim’s device.
Godot Engine’s Statement
The Godot Engine development team, in response, has issued a statement, explaining that GodLoader doesn’t exploit a specific weakness in Godot itself because like any programming language (e.g. Python or Ruby) Godot also allows the creation of both good and bad programs. Though the malware exploits Godot’s scripting language (GDScript) to deliver its payload, this doesn’t make Godot inherently unsafe.
The team also noted that it isn’t a one-click exploit because the GodLoader malware tricks users into downloading/executing a seemingly harmless file (typically a .pck file disguised as a software crack). This file wouldn’t work on its own and the attackers also must provide the Godot runtime (.exe file) separately to make it successful. This means users have to take multiple steps to install the malware, making it less likely to be a one-click exploit.
Nonetheless, team Godot emphasizes the importance of good security habits and downloading from trusted sources like official websites, established distribution platforms, or trusted individuals. Windows and macOS users should check for signed executables and notarization by a trusted party and avoid using cracked software as it is a common target for malicious actors.
RELATED TOPICS
- Gcore Thwarts 500M PPS DDoS Attack on Gaming Firm
- What is Blockchain Gaming and its Play-to-Earn Model?
- Exploring Data Privacy and Security in B2B Gaming Data
- Winos4.0 Malware Hits Windows via Fake Gaming Apps
- Gaming Firms, Community Members Hit by Dark Frost Botnet