426/67 Friday, November 29, 2024
A group of hackers has leveraged the popular open-source Godot Engine to develop and distribute malware called GodLoader. This malware is designed to evade antivirus detection and has already infected over 17,000 systems within just three months. According to Check Point, a cybersecurity research company, GodLoader targets multiple platforms, including Windows, macOS, Linux, Android, and iOS, utilizing the capabilities of GDScript, Godot’s scripting language. This enables malicious code to be embedded within .pck files commonly used for game resource storage. When users open these files, the malicious code executes, allowing attackers to steal sensitive information, such as passwords, or download additional malware like XMRig, a cryptocurrency mining program. The malware has been distributed via files on Pastebin, which amassed over 200,000 views during the campaign.
GodLoader is disseminated through a network called Stargazers Ghost Network, a Distribution-as-a-Service (DaaS) operation that delivers malware to targeted systems. GitHub is used as the primary platform to obscure its operations. The network created over 3,000 fake user accounts to establish more than 200 repositories between September and October 2024. Check Point found that the hackers exploited the trust developers and users place in open-source platforms by creating seemingly legitimate projects to trick victims into downloading malware-infused tools and games. This attack has significantly impacted game developers and gamers alike.
Check Point’s findings also reveal that the malware is tailored for easier exploitation of Linux and macOS systems, though examples primarily targeting Windows have been identified. The report highlights that Stargazer Goblin, the hacker group behind this network, has been promoting its DaaS services on the Dark Web since 2023, earning over $100,000 in revenue. They use fake GitHub accounts to push malicious content to GitHub’s trending sections, increasing its credibility and visibility.
This incident underscores the risks of unprotected open-source platforms. Users are advised to avoid downloading software or tools from untrusted sources and keep security software up to date. Open-source platform developers are encouraged to implement stricter security measures, such as content and account verification, to reduce the risk of malware distribution in the future.