Spies in Your Skype: GodRAT Malware Uses Steganography to Target Financial Firms
Ddos 
Kaspersky Labs has identified a sophisticated cyber-espionage campaign targeting financial institutions, particularly trading and brokerage firms, through the deployment of a new remote access trojan dubbed GodRAT. This malware, which appears to be an evolution of the infamous Gh0st RAT family, was observed spreading through malicious files disguised as financial documents shared via Skype messenger.
According to Kaspersky, “in September 2024, we detected malicious activity targeting financial (trading and brokerage) firms through the distribution of malicious .scr (screen saver) files disguised as financial documents via Skype messenger. The threat actor deployed a newly identified Remote Access Trojan (RAT) named GodRAT, which is based on the Gh0st RAT codebase.”
GodRAT stands out for its use of steganography—embedding shellcode inside image files to evade detection. The report explains: “the loader ‘SDL2.dll’ extracts shellcode bytes hidden within an image file representing financial details. The loader allocates memory, copies the extracted shellcode bytes, and spawns a thread to execute it.”
Once activated, the shellcode communicates with a Command-and-Control (C2) server, downloads the GodRAT payload, and executes it in memory to avoid leaving detectable traces on disk.
GodRAT is not just a simple RAT—it comes with modular plugin support. Kaspersky observed that “attackers utilized the FileManager plugin to explore the victim’s systems and deployed browser password stealers to extract credentials.”
The malware can:
- Inject plugin DLLs directly into memory.
- Manipulate and exfiltrate files.
- Download and execute payloads.
- Launch hidden processes.
- Collect system, user, and antivirus information.
Among the second-stage payloads, investigators discovered password stealers targeting both Chrome and Microsoft Edge, designed to harvest stored credentials and encryption keys.
In addition, attackers deployed AsyncRAT as a secondary implant, providing redundancy and extended persistence.
Kaspersky researchers link GodRAT to prior espionage operations. “GodRAT is very similar to the AwesomePuppet, another Gh0st RAT-based backdoor, which we reported in 2023, both in its code and distribution method. This suggests that it is probably an evolution of AwesomePuppet, which is in turn likely connected to the Winnti APT.”
The malware even reuses the unusual “-Puppet” command-line argument, previously seen in AwesomePuppet, reinforcing its lineage.
The campaign is ongoing, with Kaspersky confirming that “as of this blog’s publication, the attack remains active, with the most recent detection observed on August 12, 2025.”
Kaspersky warns, “old implant codebases, such as Gh0st RAT, which are nearly two decades old, continue to be used today… the GodRAT discovery demonstrates that legacy codebases like Gh0st RAT can still maintain a long lifespan in the cybersecurity landscape.”
Related Posts:
- Russia-Linked Threat Actors Exploiting Signal Messenger to Eavesdrop on Sensitive Communications
- Skype Paid Services to Shut Down—Users Must Migrate to Microsoft Teams by May 5
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
