A new cyber-attack technique leveraging the Godot Gaming Engine to execute undetectable malware has been reported by Check Point Research.
Check Point says since late June 2024, crooks have been building malicious code written in GDscript (Godot’s Python-like scripting language) calling on some 200 GitHub repositories and more than 220 Stargazer Ghost accounts, which were hosting a piece of malware called GodLoader.
In a statement, the Godot security team said, “Based on the report, affected users thought they were downloading and executing cracks for paid software, but instead executed the malware loader.”
Infostealers and cryptojackers
The Godot Engine, widely known for creating 2D and 3D games, is recognized for its versatility and cross-platform capabilities. It allows game developers to bundle assets and executable scripts into .pck files. Threat actors exploited this functionality by embedding malicious GDscript code in these files, enabling malware execution when loaded.
The distribution of GodLoader occurred through the Stargazers Ghost Network, a malware-as-a-service platform. Between September and October 2024, 200 GitHub repositories were used to deliver infected files, targeting gamers, developers and general users.
The repositories mimicked legitimate software repositories, leveraging GitHub actions to appear frequently updated and gain credibility.
Notably, the GodLoader payloads were hosted on Bitbucket.org and distributed across four attack waves.
Each campaign involved malicious archives downloaded thousands of times. Initial payloads included RedLine Stealer and XMRig cryptocurrency miners, with threat actors continuously evolving their tactics for greater evasion.
Godot’s security team said that the Gaming Engine does not register a file handler for .pck files. This means that a malicious actor always has to ship the Godot runtime (.exe file) together with a .pck file.
There is no way for a malicious actor to create a “one-click exploit”, barring other OS-level vulnerabilities.
Potential Risks and Mitigation Strategies
By replacing original .pck files or sections within executables, attackers could target a vast player base. While not yet observed, this scenario underscores the need for robust encryption and asymmetric key methods to secure game data.
Since GodLoader is yet to be flagged by most antivirus programs, it is essential to remain vigilant at this time, and careful when dealing with Godot-related content.
To reduce risks, developers should also ensure software and systems are up to date, exercise caution with unfamiliar repositories and downloads, and increase cybersecurity awareness within organizations.
In a statement, the Godot security team said, “Users who merely have a Godot game or editor installed on their system are not specifically at risk. We encourage people to only execute software from trusted sources – whether it’s written using Godot or any other programming system.”
They added, “We thank Check Point Research for following the security guidelines of responsible disclosure, which let us confirm that this attack vector, while unfortunate, is not specific to Godot and does not expose a vulnerability in the engine or for its users.”