MalwareUsed by 1 actor

GodRAT

GodRAT is a previously unreported remote access trojan (RAT) based on the open-sourced Gh0st RAT/Gh0stRAT codebase. It was observed in an active campaign first detected in September 2024 and still active through at least August 12, 2025, targeting financial institutions, especially trading and brokerage firms, with activity observed in Hong Kong, the United Arab Emirates, Lebanon, Malaysia, and Jordan. Delivery involved malicious .scr and .pif files disguised as financial documents and distributed primarily via Skype; reporting also notes use of Windows screensaver files against financial institutions. The malware chain used steganography to hide shellcode in image files, with loaders extracting and injecting shellcode into memory and then retrieving second-stage payloads from command-and-control servers. One observed sample used a self-extracting .scr containing SDL2.dll loaded by Valve.exe; the loader and Valve.exe were signed with an expired DigiCert-issued certificate for Valve. A related loader established persistence via HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MyStartupApp pointing to Valve.exe. First-stage shellcode searched for the string "godinfo," decoded configuration data with XOR key 0x63, connected to C2, sent "GETGOD," and received second-stage shellcode containing a UPX-packed GodRAT DLL. The GodRAT DLL had internal name ONLINE.dll, exported a single function named "run," used the unusual command-line argument "-Puppet," and attempted to execute inside curl.exe or cmd.exe. Capabilities directly reported include collection of OS details, hostname, process information, username, installed antivirus information, and presence of a capture driver; injection of plugin DLLs into memory; downloading and executing files from URLs; opening URLs through Internet Explorer; and writing configuration data to %AppData%\config.ini. Outbound data was compressed with zlib, prepended with a 15-byte header, and XOR-encoded three times before transmission. Researchers observed use of the FileManager plugin (internal name FILE.dll, export "PluginMe") for host exploration and file operations including listing, reading, writing, moving, deleting, and searching files/directories, executing applications and commands, and dropping/running 7zip from %AppData%\7z.exe and %AppData%\7z.dll. Post-compromise activity also included deployment of Chrome and Microsoft Edge password stealers and AsyncRAT as a secondary implant for persistence and extended access. Researchers assessed with high confidence that GodRAT is an evolution of AwesomePuppet and likely linked to Winnti APT activity based on shared code, the unusual "-Puppet" parameter, and other protocol and implementation similarities. Reported infrastructure included GodRAT C2 IPs 103.237.92.191, 118.99.3.33, 118.107.46.174, and 154.91.183.174.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Winnti APT

The threat actor deployed a newly identified Remote Access Trojan (RAT) named GodRAT, which is based on the Gh0st RAT codebase.

via securelistsecurelist.com

MITRE ATT&CK

Techniques & procedures

15 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566.001Spearphishing AttachmentEvidence1

In September 2024, we detected malicious activity targeting financial (trading and brokerage) firms through the distribution of malicious .scr (screen saver) files disguised as financial documents via Skype messenger.

Execution

1 technique

T1059.003Windows Command ShellEvidence1

Execute a specified command line with a hidden window using cmd.exe

Persistence

1 technique

T1547.001Registry Run Keys / Startup FolderEvidence1

One such loader (MD5 58f54b88f2009864db7e7a5d1610d27d) creates a registry load point entry at “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MyStartupApp” that points to the legitimate executable Valve.exe.

Privilege Escalation

2 techniques

T1055Process InjectionEvidence1

A new section is then created in the memory of an executable process, where the decoded shellcode is copied. Then the new section is mapped into the process memory and a thread is spawned to execute the shellcode.

T1547.001Registry Run Keys / Startup FolderEvidence1

Stealth

4 techniques

T1027.003SteganographyEvidence1

To evade detection, the attackers used steganography to embed shellcode within image files.

T1036MasqueradingEvidence1

In addition to malicious .scr (screen saver) files, attackers also used .pif (Program Information File) files masquerading as financial documents.

T1055Process InjectionEvidence1

T1070.004File DeletionEvidence1

Delete a file at a specified path Recursively delete files at a specified path

Credential Access

2 techniques

T1555Credentials from Password StoresEvidence1

Once installed, attackers utilized the FileManager plugin to explore the victim’s systems and deployed browser password stealers to extract credentials.

T1555.003Credentials from Web BrowsersEvidence1

The stealer is placed at “%ALLUSERSPROFILE%\google\chrome.exe”... It looks for Chrome database files with login data for accessed websites... The module attempts to extract passwords using... Edge User Data\Default\Login Data

Discovery

2 techniques

T1082System Information DiscoveryEvidence1

It collects the following victim information: OS information, local hostname, malware process name and process ID, user account name associated with malware process, installed antivirus software and whether a capture driver is present.

T1083File and Directory DiscoveryEvidence1

The plugin can perform the following operations based on the commands it receives: List files and folders at a specified location... Search for files at a specified location, collecting absolute file paths, sizes, and last write times

Collection

1 technique

T1560Archive Collected DataEvidence1

Execute 7zip by writing hard-coded 7zip executable bytes to “%AppData%\7z.exe” ... and then runs “%AppData%\7z.exe” with parameters provided by the C2.

Command and Control

3 techniques

T1071Application Layer ProtocolEvidence1

The shellcode connects to the C2 server and transmits the string “GETGOD.” The C2 server responds with data representing the next (second) stage of the shellcode.

T1105Ingress Tool TransferEvidence1

Download a file from a provided URL and launch it using the CreateProcessA API... The attackers deployed the following second-stage implants using GodRAT’s FileManager plugin

T1219Remote Access ToolsEvidence1

The threat actor deployed a newly identified Remote Access Trojan (RAT) named GodRAT... In addition to GodRAT, they also used AsyncRAT as a secondary implant to maintain extended access.

INDICATORS OF COMPROMISE

IOCs tracked for this family

26 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

4 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

22 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

hash.md5●●●●●●●●●●●●View more in app10 months ago

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

Remote access trojan targeting trading/brokerage firms; delivered via malicious .SCR files disguised as financial documents (via Skype) and incorporates Gh0st RAT code/steganography (per summary).

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

Previously unreported RAT targeting trading/brokerage firms; distributed as malicious .SCR files via Skype; uses steganography and code derived from Gh0st RAT (per excerpt).

dark readingNews

Feb 4, 2026

Attackers Use Windows Screensavers to Drop Malware, RMM Tools

Remote access trojan delivered via Windows .scr (screensaver) files, providing attackers remote control capabilities over victim systems.

securelistNews

Aug 22, 2025

Gh0st RAT-based GodRAT attacks financial organizations | Securelist

A newly identified Gh0st RAT-based remote access trojan used against financial trading and brokerage firms. It is delivered via disguised .scr/.pif files, loaded through shellcode (including steganography-hidden shellcode in images), connects to C2, gathers host information, supports in-memory plugin injection, downloads and launches files, opens URLs, and can persist configuration. Its FileManager plugin enables file browsing, file operations, command execution, and use of bundled 7zip to unpack dropped files.

+1 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching26

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping15

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.