Hackers have created a new malware, GodLoader, that takes advantage of the widely distributed Godot game engine. They found a way to hide the malicious software from antivirus detection and infect more than 17,000 systems in 3 months. The Godot developers say that this exploit works not only on their engine.
Hackers have created a new malware, GodLoader, that takes advantage of the widely distributed Godot game engine. They found a way to hide the malicious software from antivirus detection and infect more than 17,000 systems in 3 months. The Godot developers say that this exploit works not only on their engine.
According to Bleeping Computer citing Check Point Research, attackers can use GodLoader to attack gamers on all major platforms, including Windows, macOS, Linux, Android, and iOS.
It also exploits the flexibility of the Godot engine and the capabilities of the GDScript scripting language to execute arbitrary code and bypass detection systems, using game engine .pck files that package game assets to embed malicious scripts.
Once downloaded, attackers run malicious code on affected devices, allowing hackers to steal credentials or download additional payloads, including the XMRig miner. The configuration of this malicious software for mining was placed in a private Pastebin file uploaded in May, which was visited 206,913 times during the campaign.
«Since at least June 29, 2024, cybercriminals have been using the Godot Engine to execute fake GDScript code that runs malicious commands and delivers malware. This technology remains undetected by most antivirus tools on VirusTotal, possibly infecting more than 17,000 machines in just a few months,» Check Point reported.
According to the researchers, Godot has an active and growing community of developers who appreciate its open source code and powerful features. More than 2,700 developers have contributed to the Godot game engine, and «on platforms such as Discord, YouTube and other social networks, the Godot engine has about 80,000 followers who follow the latest news.»
The attackers distributed the GodLoader malware through the Stargazers Ghost Network, a malware-as-a-service (DaaS) delivery network that disguises its activities by using what appear to be legitimate GitHub repositories.
Between September and October 2024, they used more than 200 repositories controlled by more than 225 Stargazer Ghost accounts to deploy malware on victim systems, exploiting potential victims' trust in open source platforms and seemingly legitimate software repositories .
During the campaign, Check Point recorded four separate waves of attacks targeting developers and gamers between September 12 and October 3, tempting them to download infected tools and games.
While security researchers only discovered GodLoader samples targeting Windows systems, they also developed GDScript exploit code that demonstrates how easily the malware can be adapted to attack Linux and macOS systems.
Godot commented on Check Point’s research and stated that the vulnerability found is not specific to their engine. According to Godot developer and security team member Rémi Verschelde, Godot Engine is a programming system with a scripting language. It is similar, for example, to the Python and Ruby runtimes.
«Any programming language can be used to write malicious programs. We don’t think Godot is any more or less suitable for this than other similar programs. Users who have simply installed the Godot game or editor on their system are not particularly at risk. We encourage people to run software only from verified sources,» he stated.
Godot explained that the engine does not register a file handler for «.pck» files. This means that an attacker must always supply the Godot runtime along with the .pck file. The user will always have to extract the runtime along with the .pck file to the same location and then run the runtime.
A hacker cannot create a «one-click exploit» without considering other vulnerabilities at the operating system level. If such an OS-level vulnerability were to be exploited, Godot would not be a particularly attractive option due to the size of the execution time.
«This is similar to writing malware in Python or Ruby: an attacker would have to supply python.exe or ruby.exe along with their malware,» explained Godot.
