{ "id": "bcb6e7b6-a306-48bb-a650-2798c2a4f0f7", "created_at": "2026-04-06T00:18:29.567415Z", "updated_at": "2026-04-10T03:36:13.956734Z", "deleted_at": null, "sha1_hash": "f9f5e2027db68a808321bbe20d79b2ec4c7cb6c7", "title": "Godzilla Loader and the Long Tail of Malware - Check Point Research", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 70138, "plain_text": "Godzilla Loader and the Long Tail of Malware - Check Point\r\nResearch\r\nBy deugenio\r\nPublished: 2018-10-15 · Archived: 2026-04-05 20:11:43 UTC\r\nResearch by: Ben Herzog\r\nTo most victims, malware is a force of nature. Zeus, Wannacry, Conficker are all vengeful gods, out to punish the\r\ncommon man for clicking the wrong link. Even for a security analyst, it’s easy to fall into the kind of thinking\r\nwhere malicious tools and campaigns emerge out of the ether, forged by an invisible hand. But of course, that’s\r\nnot true; the world of cybercrime is a fully-formed market, with its own advertisements, discounts, brands,\r\ninformation asymmetries, established vendors and disruptive neophytes. In this day and age, you can assemble a\r\nmalicious campaign via a shopping list with a fraction of the technical knowledge that was once required.\r\nEnter Godzilla Loader, a malware being advertised on Dark Web forums, and being actively developed right now.\r\nGodzilla fills the “downloader” or “dropper” niche, offering a level of indirection such that the binary that first\r\nruns on the victim machine does not contain any of the actual payload, and instead downloads the payload from a\r\nremote server. Godzilla is actively maintained, with new features being added periodically, and retails for $500,\r\naround a quarter of the asking price of its better-established competitor, Emotet.\r\nFigure 1: Web panel of Godzilla Loader\r\nhttps://research.checkpoint.com/2018/godzilla-loader-and-the-long-tail-of-malware/\r\nPage 1 of 6\n\nGodzilla Features and What They Are For\r\nTo get you in the right mindset for considering Godzilla vs. Emotet, here’s our own downloader, written in\r\nPython:\r\nWe graciously charge $0 for this piece of code, which is really more like a haiku. It should now be clear why\r\ndownloaders such as Godzilla justify their price tag not by their core functionality (of downloading and\r\nexecution), but by their shiny list of impressive-sounding features. Godzilla’s full advertisement opens as follows:\r\nThe opening of the Godzilla Loader ad. This is followed by the list of features and version history.\r\nAccording to our investigation, this marketing effort is running into difficulties. We’ve tried various methods of\r\nmeasuring the number of victims that get hit by Godzilla Loader each day, and all those methods agree that the\r\nanswer is “not that many”. Even accounting for possible blind spots, the infection rate is almost certainly a tiny\r\nfraction compared to the numbers for Emotet.\r\nEmotet’s top three features are its lateral movement, its abuse of third-party libraries and its wonky control flow.\r\nTo better understand how Godzilla Loader’s top features fare in comparison, we’ll look at some of the highlights\r\nfrom the brochure.\r\nBypassing the UAC not-a-security-boundary\r\nEarly MS-Windows had little in the way of access control, and UAC was introduced in Windows Vista as a stop-gap measure to remedy this. You are probably familiar with the dialogue box prompt that informs you that this-or-another process “wants to make changes to your computer”, which is a layman’s translation for “wants to have\r\nadministrator privileges”. UAC originally achieved infamy for driving early Vista adopters out of their minds with\r\nconstant prompts that froze the entire rest of the screen and stole focus from all other applications.\r\nhttps://research.checkpoint.com/2018/godzilla-loader-and-the-long-tail-of-malware/\r\nPage 2 of 6\n\nSince UAC’s debut, its user interface has seen major improvement, but the same cannot be said for its ability to\r\nget in the way of malicious actors. While UAC did present a certain barrier to entry for malware (for example)\r\nturning off your AV product, that barrier turned out to be surmountable, with some effort. If you want an idea of\r\nwhat we mean by that, consider the UACME github repository, maintined by infosec personality @hFireF0X; the\r\nrepository is an educational exhibit which currently lists over 50(!) different attack vectors for bypassing UAC and\r\ntheir corresponding implementations. The battle for UAC as a fully robust security feature has long since been\r\nlost. It was nearly a decade ago that Microsoft sighed and declared that UAC is not a Security Boundary.\r\nAs alluded to in the ad, Godzilla loader comes with a built-in UAC bypass — to be specific, the one\r\ndescribed here. This UAC bypass relies on a behavioral quirk in the privileged process eventvwr.exe; when\r\nconsulting the registry for the location of the Microsoft Management Console, it consults a key which can be\r\nmodified with no privilege requirements. An attacker can therefore specify whichever executable they please, and\r\nthis executable will run with administrator privileges. (Let’s not get into the icky discussion of whether this can be\r\nclassified as a “bug” or a “feature” or a “vulnerability” or what, and agree that this is a Bad Thing).\r\nManifest of eventvwr.exe, including auto-elevate request.\r\nWhen all you have is an IUNKNOWN interface, everything looks like a COM Object\r\nIf you come away from this piece remembering only one thing about Godzilla Loader, remember that it has a\r\nborderline-obsession with COM objects.\r\nConsider the problem of network communication with the C\u0026C server. Garden-variety malware will use the\r\nWinInet API (e.g. HTTPSendRequest, InternetCrackURL…) to perform this communication, or maybe it would\r\ngo the socket programming route and directly invoke ws2_32 for stealth of for implementing a homebrew\r\nprotocol on top of TCP. Instead, Godzilla Loader:\r\n1. Calls CreateWindowEx to create a 0x0 pixel window belonging to the AtlaxWin class\r\n2. Uses the window’s built-in IUnknown COM interface to invoke the QueryInterface method, which is used\r\nto request a IWebBrowser2 COM interface to the window\r\n3. Invokes the IWebBrowser2 COM interface’s Navigate method on the C\u0026C URL\r\nhttps://research.checkpoint.com/2018/godzilla-loader-and-the-long-tail-of-malware/\r\nPage 3 of 6\n\n4. Polls the window using the IWebBrowser2 COM interface’s get_ReadyState method until the window\r\nresports a ‘ready’ state\r\n5. Retrieves the downloaded document using the IWebBrowser2 COM interface’s get_Document method\r\n6. Requests an IHTMLDocument3 COM interface to the document by using the IUnknown COM interface to\r\ninvoke QueryInterface\r\n7. Calls the IHTMLDocument3 COM interface’s getElementsByName method in order to collect the\r\npayloads in the server response, which are enclosed by element tags; this returns a collection of elements\r\nwhich is accessible by the COM interface IHTMLElementCollection\r\n8. Drains the IHTMLElementCollection COM interface’s underlying iterator by repeated calls to its built-in\r\nitem method\r\n9. Requests a IHTMLElement COM interface to each HTML element by using the IUnknown COM interface\r\nto invoke QueryInterface\r\n10. Invokes the IHTMLElement COM interface’s get_innerText method in order to collect the data enclosed\r\nby the tag\r\nThis functionality was already present in earlier versions of Godzilla. In later versions, the author boasts that they\r\nhave converted even more of the control flow to rely entirely on COM interfaces; persistence is achieved via the\r\nIPresistFile interface and shell executions of programs on the local disk are triggered via the IShellDispatch\r\ninterface.\r\nGodzilla’s first request for a COM interface, among very many.\r\nThis is a highly unusual stylistic choice, and all the more notable for the consistency across the malware’s core\r\nfeatures. By taking this route, the author of Godzilla Loader diminishes the chances of the downloader being\r\ncaught by behavioral sandbox analysis, and gives his creation some flair that might help it stand out from the\r\ncompetition.\r\nRansomware Housekeeping as a Service\r\nOne other feature that caught our eye in particular is the automatic deletion of file backup shadow copies on the\r\nvictim system. For most types of malicious campaigns, this feature won’t make a difference one way or the other;\r\nhttps://research.checkpoint.com/2018/godzilla-loader-and-the-long-tail-of-malware/\r\nPage 4 of 6\n\nthe only possible reason for it being there is to foil a very specific anti-Ransomware measure which operates by\r\nrecovering the original files from the shadow file backups.\r\nTo begin with, “recover the shadow files” sits relatively low on the totem pole of anti-Ransomware attacks. On top\r\nof that, the vast majority of ransomware will come with this feature built-in; while ransomware authors typically\r\naren’t brilliant cryptographic minds, they have picked up the basics, and the basics have come to include “make\r\nsure to delete the shadow files”. Only the lowliest-tier of low-tier ransomware efforts fail to check this tick-box.\r\nWho’s the target audience for this feature? That’s a very good question.\r\nMore Feature Highlights\r\nGodzilla loader employs RSA-2048 to verify the identity of the C\u0026C server — that is, the server response\r\nis signed, and the client verifies the signature before acting on the server’s orders. In the event of a DNS-level takeover of the C\u0026C domain, the malicious operation will be down but the domain’s new owner will\r\nnot be able to issue new commands. It’s a neat little feature, but just a teaser for the full hypothetical power\r\nof asymmetric crypto in this context; mostly it makes us think, “God help us all if the ingenuity that\r\nproduced TOR ever goes into the malware business”.\r\nIn the feature list, the author boasts of a double-layered fail-safe for C\u0026C communication. First, if\r\ncommunication with the server is not successful, the malware defaults to its DGA implementation; then, if\r\nthat’s not successful, either, it checks Twitter for a specific hashtag (which is pseudo-randomly generated\r\ndepending on the day, similarly to the DGA). The campaign controller can announce new C\u0026C sites by\r\ngenerating the hashtag themselves and tweeting the new C\u0026C domain with this hashtag.\r\nThe latest major version of Godzilla, which has been in development as early as December of last year, is\r\nset to include a full plugin Ecosystem — including a propagation module, keylogger module and password\r\nstealing module.\r\nConclusion\r\nAt first glance, the existence and adoption rate of Godzilla both seem to be a simple example of the principle of\r\nthe Long Tail. Like mobile phone models and programming languages, we expect the popularity of malicious\r\ndownloaders to follow a Pareto distribution where a few actors dominate most of the market, and the rest is\r\noccupied by an ocean of small niche actors. That’s definitely a part of the story, but not all of it. It beggars belief\r\nthat a sane, transparent market built of fully rational actors would give birth to these two wildly divergent,\r\narbitrarily-priced grab-bags of partially-superfluous features, both aimed at exactly the same target audience with\r\nexactly the same needs, with the apparently arbitrary asking price ratio of 1:4 between them.\r\nThis state of affairs becomes much more understandable once we assume that many campaign managers don’t\r\noperate based on an explicit model of malware vs. security at all, but rather on the general knowledge that more\r\nobfuscation and better features will shield them from security vendors’ scrutiny. “Without a threat model, there is\r\nno security, only paranoia” — this is equally applicable from the attackers’ point of view, and in a market of\r\nparanoia, brand recognition holds great sway. Emotet’s feature set isn’t literally worth four times as much as\r\nGodzilla’s; it’s worth either much more or much less than that, depending on who you are and what your needs\r\nare, as a dastardly cybercriminal. But Emotet’s brand is worth about four times as much as Godzilla’s, or at least\r\nthat’s the case according to their respective authors’ estimates.\r\nhttps://research.checkpoint.com/2018/godzilla-loader-and-the-long-tail-of-malware/\r\nPage 5 of 6\n\nEvery now and then, an incident response team will quizically stare at a sandbox report, furrow their brow and\r\nsay, “What is that”. When they furrow their brow, that’s when you know you got hit with a contender from the\r\nLong Tail of Malware. Your sysadmin may be horrified, but somewhere out there, some dark-web dweller is\r\nthrilled to finally have a customer.\r\nSignature and Prevention\r\nThe following Check Point Products detect the Godzilla Downloader:\r\nAnti-Bot:Win32.Godzilla.A\r\nSource: https://research.checkpoint.com/2018/godzilla-loader-and-the-long-tail-of-malware/\r\nhttps://research.checkpoint.com/2018/godzilla-loader-and-the-long-tail-of-malware/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://research.checkpoint.com/2018/godzilla-loader-and-the-long-tail-of-malware/" ], "report_names": [ "godzilla-loader-and-the-long-tail-of-malware" ], "threat_actors": [ { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434709, "ts_updated_at": 1775792173, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f9f5e2027db68a808321bbe20d79b2ec4c7cb6c7.pdf", "text": "https://archive.orkl.eu/f9f5e2027db68a808321bbe20d79b2ec4c7cb6c7.txt", "img": "https://archive.orkl.eu/f9f5e2027db68a808321bbe20d79b2ec4c7cb6c7.jpg" } }