New GodRAT Weaponizing Screen Saver and Program Files to Attack Organizations

A sophisticated new Remote Access Trojan named GodRAT has emerged as a significant threat to financial institutions, leveraging deceptive screen saver files and steganographic techniques to infiltrate organizational networks.

First detected in September 2024, this malware campaign has demonstrated remarkable persistence, with the most recent attacks observed as recently as August 12, 2025, indicating an ongoing and evolving threat landscape.

The threat actors behind GodRAT have employed a multi-faceted distribution strategy, primarily targeting trading and brokerage firms through Skype messenger.

Their approach involves disguising malicious .scr (screen saver) and .pif (Program Information File) files as legitimate financial documents, exploiting the trust inherent in business communications.

The malware’s sophistication extends beyond simple file masquerading, incorporating advanced steganographic techniques that embed shellcode within seemingly innocuous image files to evade traditional security detection mechanisms.

Securelist analysts identified GodRAT as an evolution of the previously documented AwesomePuppet RAT, both sharing the same underlying Gh0st RAT codebase foundation.

This genetic lineage suggests a deliberate refinement of existing attack methodologies, potentially linked to the Winnti APT group’s operational patterns.

The malware’s geographic distribution has been particularly focused on Hong Kong, the United Arab Emirates, Jordan, Lebanon, and Malaysia, indicating a targeted approach toward specific regional financial markets.

The attack timeline reveals a calculated escalation, beginning with initial detections in Hong Kong and expanding to multiple Middle Eastern territories.

The threat actors have demonstrated operational flexibility by adapting their file naming conventions to match regional language preferences and business contexts, including Chinese and Indonesian language variants designed to blend seamlessly with local business communications.

Advanced Steganographic Infection Mechanism

GodRAT’s most notable technical innovation lies in its sophisticated steganographic payload delivery system, which represents a significant advancement in malware distribution techniques.

The malware employs a two-stage shellcode loader architecture, with the secondary loader extracting hidden shellcode from embedded image files that appear to contain legitimate financial data.

The steganographic implementation involves embedding shellcode bytes within image files such as “2024-11-15_23.45.45.jpg”, which visually displays financial information while concealing malicious code.

The loader “SDL2.dll” performs the extraction process by allocating memory, copying the hidden shellcode bytes, and spawning execution threads. This technique effectively bypasses traditional signature-based detection systems that rely on file header analysis or content scanning.

Upon successful extraction, the shellcode initiates a search for the configuration marker “godinfo,” followed by single-byte XOR decoding using the key 0x63.

The decoded configuration contains critical operational parameters including C2 server details and module command strings.

The malware then establishes communication with its command-and-control infrastructure by transmitting the authentication string “GETGOD,” triggering the download of additional payload components including UPX-packed GodRAT DLL modules and browser credential stealing capabilities.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.