{ "id": "5856051b-b7bb-43a9-8cc8-3779d3d2057b", "created_at": "2026-04-06T00:15:07.272694Z", "updated_at": "2026-04-10T03:32:20.757591Z", "deleted_at": null, "sha1_hash": "11b5ce5fe0a792d76314d27964a1aa468bed70d9", "title": "GodRAT - New RAT targeting financial institutions", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2792714, "plain_text": "GodRAT - New RAT targeting financial institutions\r\nBy Saurabh Sharma\r\nPublished: 2025-08-19 · Archived: 2026-04-05 22:05:23 UTC\r\nSummary\r\nIn September 2024, we detected malicious activity targeting financial (trading and brokerage) firms through the distribution\r\nof malicious .scr (screen saver) files disguised as financial documents via Skype messenger. The threat actor deployed a\r\nnewly identified Remote Access Trojan (RAT) named GodRAT, which is based on the Gh0st RAT codebase. To evade\r\ndetection, the attackers used steganography to embed shellcode within image files. This shellcode downloads GodRAT from\r\na Command-and-Control (C2) server.\r\nGodRAT supports additional plugins. Once installed, attackers utilized the FileManager plugin to explore the victim’s\r\nsystems and deployed browser password stealers to extract credentials. In addition to GodRAT, they also used AsyncRAT as\r\na secondary implant to maintain extended access.\r\nGodRAT is very similar to the AwesomePuppet, another Gh0st RAT-based backdoor, which we reported in 2023, both in its\r\ncode and distribution method. This suggests that it is probably an evolution of AwesomePuppet, which is in turn likely\r\nconnected to the Winnti APT.\r\nAs of this blog’s publication, the attack remains active, with the most recent detection observed on August 12, 2025. Below\r\nis a timeline of attacks based on detections of GodRAT shellcode injector executables. In addition to malicious .scr (screen\r\nsaver) files, attackers also used .pif (Program Information File) files masquerading as financial documents.\r\nGodRAT shellcode injector\r\nexecutable MD5\r\nFile name\r\nDetection\r\ndate\r\nCountry/territory Distribution\r\ncf7100bbb5ceb587f04a1f42939e24ab 2023-2024ClientList\u0026.scr 2024.09.09 Hong Kong via Skype\r\ne723258b75fee6fbd8095f0a2ae7e53c 2024-11-15_23.45.45 .scr 2024.11.28 Hong Kong via Skype\r\nd09fd377d8566b9d7a5880649a0192b4\r\n2024-08-01_2024-12-\r\n31Data.scr\r\n2025.01.09\r\nUnited Arab\r\nEmirates\r\nvia Skype\r\na6352b2c4a3e00de9e84295c8d505dad 2025TopDataTransaction\u0026.scr 2025.02.28\r\nUnited Arab\r\nEmirates\r\nNA\r\n6c12ec3795b082ec8d5e294e6a5d6d01 2024-2025Top\u0026Data.scr\r\n2025-03-\r\n17\r\nUnited Arab\r\nEmirates\r\nvia Skype\r\nbb23d0e061a8535f4cb8c6d724839883\r\nCorporate customer\r\ntransaction\r\n\u0026volume.pif\r\ncorporate customer\r\ntransaction\r\n\u0026volume.zip\r\n2025-05-\r\n26 United\r\nArab\r\nEmirates\r\nLebanon\r\nMalaysia\r\nNA\r\nhttps://securelist.com/godrat/117119/\r\nPage 1 of 8\n\ncompany self-media\r\naccount application\r\nqualifications\u0026.zip\r\n160a80a754fd14679e5a7b5fc4aed672\r\n个人信息资料\r\n\u0026.pdf.pif\r\ninformasi pribadi\r\n\u0026pelanggan\r\nglobal.pdf.pif\r\nglobal customers\r\npreferential deposit\r\nsteps\u0026.pif\r\n2025-07-\r\n17\r\nHong Kong NA\r\n2750d4d40902d123a80d24f0d0acc454 2025TopClineData\u00261.scr\r\n2025-08-\r\n12\r\nUnited Arab\r\nEmirates\r\nNA\r\n441b35ee7c366d4644dca741f51eb729 2025TopClineData\u0026.scr\r\n2025-08-\r\n12\r\nJordan NA\r\nTechnical details\r\nMalware implants\r\nShellcode loaders\r\nWe identified the use of two types of shellcode loaders, both of which execute the shellcode by injecting it into their own\r\nprocess. The first embeds the shellcode bytes directly into the loader binary, and the second reads the shellcode from an\r\nimage file.\r\nA GodRAT shellcode injector file named “2024-08-01_2024-12-31Data.scr” (MD5 d09fd377d8566b9d7a5880649a0192b4)\r\nis an executable that XOR-decodes embedded shellcode using the following hardcoded key:\r\n“OSEDBIU#IUSBDGKJS@SIHUDVNSO*SKJBKSDS#SFDBNXFCB”. A new section is then created in the memory of\r\nan executable process, where the decoded shellcode is copied. Then the new section is mapped into the process memory and\r\na thread is spawned to execute the shellcode.\r\nAnother file, “2024-11-15_23.45.45 .scr” (MD5 e723258b75fee6fbd8095f0a2ae7e53c), serves as a self-extracting\r\nexecutable containing several embedded files as shown in the image below.\r\nContent of self-extracting executable\r\nAmong these is “SDL2.dll” (MD5 512778f0de31fcce281d87f00affa4a8), which is a loader. The loader “SDL2.dll” is loaded\r\nby the legitimate executable Valve.exe (MD5 d6d6ddf71c2a46b4735c20ec16270ab6). Both the loader and Valve.exe are\r\nsigned with an expired digital certificate. The certificate details are as follows:\r\nhttps://securelist.com/godrat/117119/\r\nPage 2 of 8\n\nSerial Number: 084caf4df499141d404b7199aa2c2131\r\nIssuer Common Name: DigiCert SHA2 Assured ID Code Signing CA\r\nValidity: Not Before: Friday, September 25, 2015 at 5:30:00 AM; Not After: Wednesday, October 3, 2018 at 5:30:00\r\nPM\r\nSubject: Valve\r\nThe loader “SDL2.dll” extracts shellcode bytes hidden within an image file “2024-11-15_23.45.45.jpg”. The image file\r\nrepresents some sort of financial details as shown below.\r\nThe loader allocates memory, copies the extracted shellcode bytes, and spawns a thread to execute it. We’ve also identified\r\nsimilar loaders that extracted shellcode from an image file named “2024-12-10_05.59.18.18.jpg”. One such loader (MD5\r\n58f54b88f2009864db7e7a5d1610d27d) creates a registry load point entry at\r\n“HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\MyStartupApp” that points to the legitimate executable\r\nValve.exe.\r\nShellcode functionality\r\nThe shellcode begins by searching for the string “godinfo,” which is immediately followed by configuration data that is\r\ndecoded using the single-byte XOR key 0x63. The decoded configuration contains the following details: C2 IP address, port,\r\nand module command line string. The shellcode connects to the C2 server and transmits the string “GETGOD.” The C2\r\nserver responds with data representing the next (second) stage of the shellcode. This second-stage shellcode includes\r\nbootstrap code, a UPX-packed GodRAT DLL and configuration data. However, after downloading the second-stage\r\nhttps://securelist.com/godrat/117119/\r\nPage 3 of 8\n\nshellcode, the first stage shellcode overwrites the configuration data in the second stage with its own configuration data. A\r\nnew thread is then created to execute the second-stage shellcode. The bootstrap code injects the GodRAT DLL into memory\r\nand subsequently invokes the DLL’s entry point and its exported function “run.” The entire next-stage shellcode is passed as\r\nan argument to the “run” function.\r\nGodRAT\r\nThe GodRAT DLL has the internal name ONLINE.dll and exports only one method: “run”. It checks the command line\r\nparameters and performs the following operations:\r\n1. 1 If the number of command line arguments is one, it copies the command line from the configuration data, which\r\nwas “C:\\Windows\\System32\\curl.exe” in the analyzed sample. Then it appends the argument “-Puppet” to the\r\ncommand line and creates a new process with the command line “C:\\Windows\\System32\\curl.exe -Puppet”. The\r\nparameter “-Puppet” was used in AwesomePuppet RAT in a similar way. If this fails, GodRAT tries to create a\r\nprocess with the hardcoded command “%systemroot%\\system2\\cmd.exe -Puppet”. If successful, it suspends the\r\nprocess, allocates memory, and writes the shellcode buffer (passed as a parameter to the exported function “run”) to\r\nthe allocated memory. A thread is then created to execute the shellcode, and the current process exits. This is done to\r\nexecute GodRAT inside the curl.exe or cmd.exe process.\r\n2. 2 If the number of command line arguments is greater than one, it checks if the second argument is “-Puppet.” If true,\r\nit proceeds with the RAT’s functionality; otherwise, it acts as if the number of command line arguments is one, as\r\ndescribed in the previous case.\r\nThe RAT establishes a TCP connection to the C2 server on the port from the configuration blob. It collects the following\r\nvictim information: OS information, local hostname, malware process name and process ID, user account name associated\r\nwith malware process, installed antivirus software and whether a capture driver is present. A capture driver is probably\r\nneeded for capturing pictures, but we haven’t observed such behavior in the analyzed sample.\r\nThe collected data is zlib (deflate) compressed and then appended with a 15-byte header. Afterward, it is XOR-encoded\r\nthree times per byte. The final data sent to the C2 server includes a 15-byte header followed by the compressed data blob.\r\nThe header consists of the following fields: magic bytes (\\x74\\x78\\x20) , total size (compressed data size + header size),\r\ndecompressed data size, and a fixed DWORD (1 for incoming data and 2 for outgoing data). The data received from the C2\r\nis only XOR-decoded, again three times per byte. This received data includes a 15-byte header followed by the command\r\ndata. The RAT can perform the following operations based on the received command data:\r\nInject a received plugin DLL into memory and call its exported method “PluginMe”, passing the C2 hostname and\r\nport as arguments. It supports different plugins, but we only saw deployment of the FileManager plugin\r\nClose the socket and terminate the RAT process\r\nDownload a file from a provided URL and launch it using the CreateProcessA API, using the default desktop\r\n(WinSta0\\Default)\r\nOpen a given URL using the shell command for opening Internet Explorer (e.g. “C:\\Program Files\\Internet\r\nExplorer\\iexplore.exe” %1)\r\nSame as above but specify the default desktop (WinSta0\\Default)\r\nCreate the file “%AppData%\\config.ini”, create a section named “config” inside this file, and, create in that section a\r\nkey called “NoteName” with the string provided from the C2 as its value\r\nGodRAT FileManager plugin\r\nThe FileManager plugin DLL has the internal name FILE.dll and exports a single method called PluginMe. This plugin\r\ngathers the following victim information: details about logical drives (including drive letter, drive type, total bytes, available\r\nhttps://securelist.com/godrat/117119/\r\nPage 4 of 8\n\nfree bytes, file system name, and volume name), the desktop path of the currently logged-on user, and whether the user is\r\noperating under the SYSTEM account. The plugin can perform the following operations based on the commands it receives:\r\nList files and folders at a specified location, collecting details like type (file or folder), name, size, and last write time\r\nWrite data to an existing file at a specified offset\r\nRead data from a file at a specified offset\r\nDelete a file at a specified path\r\nRecursively delete files at a specified path\r\nCheck for the existence of a specified file. If the file exists, send its size; otherwise, create a file for writing.\r\nCreate a directory at a specified path\r\nMove an existing file or directory, including its children\r\nOpen a specified application with its window visible using the ShellExecuteA API\r\nOpen a specified application with its window hidden using the ShellExecuteA API\r\nExecute a specified command line with a hidden window using cmd.exe\r\nSearch for files at a specified location, collecting absolute file paths, sizes, and last write times\r\nStop a file search operation\r\nExecute 7zip by writing hard-coded 7zip executable bytes to “%AppData%\\7z.exe” (MD5\r\neb8d53f9276d67afafb393a5b16e7c61) and “%AppData%\\7z.dll” (MD5 e055aa2b77890647bdf5878b534fba2c), and\r\nthen runs “%AppData%\\7z.exe” with parameters provided by the C2. The utility is used to unzip dropped files.\r\nSecond-stage payload\r\nThe attackers deployed the following second-stage implants using GodRAT’s FileManager plugin:\r\nChrome password stealer\r\nThe stealer is placed at “%ALLUSERSPROFILE%\\google\\chrome.exe” (MD5 31385291c01bb25d635d098f91708905). It\r\nlooks for Chrome database files with login data for accessed websites, including URLs and usernames used for\r\nauthentication, as well as user passwords. The collected data is saved in the file “google.txt” within the module’s directory.\r\nThe stealer searches for the following files:\r\n%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Login Data – an SQLite database with login and stats\r\ntables. This can be used to extract URLs and usernames used for authentication. Passwords are encrypted and not\r\nvisible.\r\n%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Local State – a file that contains the encryption key needed to\r\ndecrypt stored passwords.\r\nMS Edge password stealer\r\nThe stealer is placed at “%ALLUSERSPROFILE%\\google\\msedge.exe” (MD5 cdd5c08b43238c47087a5d914d61c943).\r\nThe collected data is stored in the file “edge.txt” in the module’s directory. The module attempts to extract passwords using\r\nthe following database and file:\r\n%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Login Data – the “Login Data” SQLite database stores\r\nEdge logins in the “logins” table.\r\n%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Local State – this file contains the encryption key used to decrypt\r\nsaved passwords.\r\nAsyncRAT\r\nhttps://securelist.com/godrat/117119/\r\nPage 5 of 8\n\nThe DLL file (MD5 605f25606bb925d61ccc47f0150db674) is an injector and is placed at\r\n“%LOCALAPPDATA%\\bugreport\\LoggerCollector.dll” or “%ALLUSERSPROFILE%\\bugreport\\LoggerCollector.dll”. It\r\nverifies that the module name matches “bugreport_.exe”. The loader then XOR-decodes embedded shellcode using the key\r\n“EG9RUOFIBVODSLFJBXLSVWKJENQWBIVUKDSZADVXBWEADSXZCXBVADZXVZXZXCBWES”. After\r\ndecoding, it subtracts the second key\r\n“IUDSY86BVUIQNOEWSUFHGV87QCI3WEVBRSFUKIHVJQW7E8RBUYCBQO3WEIQWEXCSSA” from each\r\nshellcode byte.\r\nA new memory section is created, the XOR-decoded shellcode is copied into it, and then the section is mapped into the\r\ncurrent process memory. A thread is started to execute the code in this section. The shellcode is used to reflectively inject the\r\nC# AsyncRAT binary. Before injection, it patches the AMSI scanning functions (AmsiScanBuffer, AmsiScanString) and the\r\nEtwEventWrite function to bypass security checks.\r\nAsyncRAT includes an embedded certificate with the following properties:\r\nSerial Number: df:2d:51:bf:e8:ec:0c:dc:d9:9a:3e:e8:57:1b:d9\r\nIssuer: CN = marke\r\nValidity: Not Before: Sep 4 18:59:09 2024 GMT; Not After: Dec 31 23:59:59 9999 GMT\r\nSubject: CN = marke\r\nGodRAT client source and builder\r\nWe discovered the source code for the GodRAT client on a popular online malware scanner. It had been uploaded in July\r\n2024. The file is named “GodRAT V3.5_______dll.rar” (MD5 04bf56c6491c5a455efea7dbf94145f1). This archive also\r\nincludes the GodRAT builder (MD5 5f7087039cb42090003cc9dbb493215e), which allows users to generate either an\r\nexecutable file or a DLL. If an executable is chosen, users can pick a legitimate executable name from a list (svchost.exe,\r\ncmd.exe, cscript.exe, curl.exe, wscript.exe, QQMusic.exe and QQScLauncher.exe) to inject the code into. When saving the\r\nfinal payload, the user can choose the file type (.exe, .com, .bat, .scr and .pif). The source code is based on Gh0st RAT, as\r\nindicated by the fact that the auto-generated UID in “GodRAT.h” file matches that of “gh0st.h”, which suggests that\r\nGodRAT was originally just a renamed version of Gh0st RAT.\r\nGodRAT.h\r\ngh0st.h\r\nConclusions\r\nhttps://securelist.com/godrat/117119/\r\nPage 6 of 8\n\nThe rare command line parameter “puppet,” along with code similarities to Gh0st RAT and shared artifacts such as the\r\nfingerprint header, indicate that GodRAT shares a common origin with AwesomePuppet RAT, which we described in a\r\nprivate report in 2023. This RAT is also based on the Gh0st RAT source code and is likely connected with Winnty APT\r\nactivities. Based on these findings, we are highly confident that GodRAT is an evolution of AwesomePuppet. There are some\r\ndifferences, however. For example, the C2 packet of GodRAT uses the “direction” field, which was not utilized in\r\nAwesomePuppet.\r\nOld implant codebases, such as Gh0st RAT, which are nearly two decades old, continue to be used today. These are often\r\ncustomized and rebuilt to target a wide range of victims. These old implants are known to have been used by various threat\r\nactors for a long time, and the GodRAT discovery demonstrates that legacy codebases like Gh0st RAT can still maintain a\r\nlong lifespan in the cybersecurity landscape.\r\nIndicator of Compromise\r\nFile hashes\r\ncf7100bbb5ceb587f04a1f42939e24ab\r\nd09fd377d8566b9d7a5880649a0192b4 GodRAT Shellcode Injector\r\ne723258b75fee6fbd8095f0a2ae7e53c GodRAT Self Extracting Executable\r\na6352b2c4a3e00de9e84295c8d505dad\r\n6c12ec3795b082ec8d5e294e6a5d6d01\r\nbb23d0e061a8535f4cb8c6d724839883\r\n160a80a754fd14679e5a7b5fc4aed672\r\n2750d4d40902d123a80d24f0d0acc454\r\n441b35ee7c366d4644dca741f51eb729\r\n318f5bf9894ac424fd4faf4ba857155e GodRAT Shellcode Injector\r\n512778f0de31fcce281d87f00affa4a8 GodRAT Shellcode Injector\r\n6cad01ca86e8cd5339ff1e8fff4c8558 GodRAT Shellcode Injector\r\n58f54b88f2009864db7e7a5d1610d27d GodRAT Shellcode Injector\r\n64dfcdd8f511f4c71d19f5a58139f2c0 GodRAT FileManager Plugin(n)\r\n8008375eec7550d6d8e0eaf24389cf81 GodRAT\r\n04bf56c6491c5a455efea7dbf94145f1 GodRAT source code\r\n5f7087039cb42090003cc9dbb493215e GodRAT Builder\r\n31385291c01bb25d635d098f91708905 Chrome Password Stealer\r\ncdd5c08b43238c47087a5d914d61c943 MSEdge Password Stealer\r\n605f25606bb925d61ccc47f0150db674 Async RAT Injector (n)\r\n961188d6903866496c954f03ecff2a72 Async RAT Injector\r\n4ecd2cf02bdf19cdbc5507e85a32c657 Async RAT\r\n17e71cd415272a6469386f95366d3b64 Async RAT\r\nFile paths\r\nC:\\users\\[username]\\downloads\\2023-2024clientlist&.scr\r\nC:\\users\\[username]\\downloads\\2024-11-15_23.45.45 .scr\r\nC:\\Users\\[username]\\Downloads\\2024-08-01_2024-12-31Data.scr\r\nC:\\Users\\[username]\\\\Downloads\\2025TopDataTransaction\u0026.scr\r\nC:\\Users\\[username]\\Downloads\\2024-2025Top\u0026Data.scr\r\nC:\\Users\\[username]\\Downloads\\2025TopClineData\u00261.scr\r\nC:\\Users\\[username]\\Downloads\\Corporate customer transaction \u0026volume.pif\r\nhttps://securelist.com/godrat/117119/\r\nPage 7 of 8\n\nC:\\telegram desktop\\Company self-media account application qualifications\u0026.zip\r\nC:\\Users\\[username]\\Downloads\\个人信息资料\u0026.pdf.pif\r\n%ALLUSERSPROFILE%\\bugreport\\360Safe2.exe\r\n%ALLUSERSPROFILE%\\google\\chrome.exe\r\n%ALLUSERSPROFILE%\\google\\msedge.exe\r\n%LOCALAPPDATA%\\valve\\valve\\SDL2.dll\r\n%LOCALAPPDATA%\\bugreport\\LoggerCollector.dll\r\n%ALLUSERSPROFILE%\\bugreport\\LoggerCollector.dll\r\n%LOCALAPPDATA%\\bugreport\\bugreport_.exe\r\nDomains and IPs\r\n103[.]237[.]92[.]191 GodRAT C2\r\n118[.]99[.]3[.]33 GodRAT С2\r\n118[.]107[.]46[.]174 GodRAT C2\r\n154[.]91[.]183[.]174 GodRAT C2\r\nwuwu6[.]cfd AsyncRAT C2\r\n156[.]241[.]134[.]49 AsyncRAT C2\r\nhttps://holoohg.oss-cn-hongkong.aliyuncs[.]com/HG.txt URL containing AsyncRAT C2 address bytes\r\n47[.]238[.]124[.]68 AsyncRAT C2\r\nSource: https://securelist.com/godrat/117119/\r\nhttps://securelist.com/godrat/117119/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securelist.com/godrat/117119/" ], "report_names": [ "117119" ], "threat_actors": [ { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434507, "ts_updated_at": 1775791940, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/11b5ce5fe0a792d76314d27964a1aa468bed70d9.pdf", "text": "https://archive.orkl.eu/11b5ce5fe0a792d76314d27964a1aa468bed70d9.txt", "img": "https://archive.orkl.eu/11b5ce5fe0a792d76314d27964a1aa468bed70d9.jpg" } }