logo80lv
Articlesclick_arrow
Research
Talentsclick_arrow
Events
Workshops
Aboutclick_arrow

Hackers Use the Godot Engine to Distribute a Malware Loader

Both gamers and developers can be affected if they download software from shady sources.

Although computer viruses are not nearly as widespread nowadays as they were just 10-15 years ago, those responsible for creating them are still alive and very much active, constantly looking for ways to infect operating systems and probing weaknesses in modern software to distribute their malware. One such weakness was recently highlighted by the Check Point Research team, which published a comprehensive report detailing how hackers exploit the Godot engine to attack both gamers and game developers, steal their data, and turn their PCs into crypto-mining rigs.

As outlined in CPR's report, cyber miscreants have been actively exploiting Godot's Python-like custom scripting language, GDScript, since at least June 2024, using it to spread and execute malicious code and malware that is nearly undetectable by antivirus software. A group of GitHub accounts known as Stargazers Ghost Network utilized this technique to distribute a malware loader dubbed GodLoader throughout September and October, reportedly infecting over 17,000 devices, with the maximum attack surface estimated at around 1.2 million people.

On the technical side, GodLoader exploits Godot's .pck files, which are used by the engine to package game assets and resources. These files can be dynamically loaded by games, enabling developers to distribute updates, downloadable content, or additional assets without altering the core game executable.

Besides containing "static" video game files, like music or images, .pck files can also include scripts written in GDScript that can be executed when the .pck is loaded using the built-in "_ready()" function, allowing games to introduce new features or modify existing functionality. The malware loader abuses this system to execute malicious code, download malware, and deploy it while remaining undetected, with GDScript offering threat actors a range of capabilities, from Anti-Sandbox and Anti-VM techniques to executing remote payloads, by being a fully functional language.

"While our initial discovery targeted Windows machines, Check Point Research assessed the ease of developing loaders for platforms beyond Windows," the report reads. "The simplicity of creating loaders is largely dependent on the target platform, as most core loader functionality relies on other executables and the operating system itself. The Godot Engine primarily functions as an execution environment for GDScript code. This technique can be demonstrated by using the original version of Godot on Linux and MacOS. An Android loader also seems possible but requires modifications to the Godot Engine. However, an iOS version is unlikely due to Apple’s strict App Store policies, which would make deployment challenging."

Once activated, GodLoader would then deploy malware onto the unsuspecting user's machine, most notably RedLine, a data-stealing software with a customizable file-grabber used to collect sensitive data from web browsers, email and messaging apps, and cryptocurrency wallets, and XMRig, a cryptojacking software that exploits the victim's resources to mine cryptocurrency for the hacker.

"Combining a highly targeted distribution method and a discreet, undetected technique has resulted in exceptionally high infection rates," concludes the research paper. "This cross-platform approach enhances malware versatility, giving threat actors a powerful tool that can easily target multiple operating systems. This method allows attackers to deliver malware more effectively across various devices, maximizing their reach and impact."

In response to CPR's report, Godot's security team issued an official statement acknowledging the issue and emphasizing that the vulnerability is not specific to Godot. "It is akin to, for instance, the Python and Ruby runtimes. It is possible to write malicious programs in any programming language. We do not believe that Godot is particularly more or less suited to do so than other such programs," the team said in the statement.

Additionally, the developers stressed that while the malware loader is executed via Godot, it is, naturally, not present in the engine's official version or in Godot-powered games distributed through trusted platforms like Steam, EGS, Google Play, App Store, and others, meaning that the usual rules of cybersecurity apply, and simply avoiding downloads from shady sources eliminates the risk of ever catching GodLoader.

Read Check Point Research's full write-up here and don't forget to join our 80 Level Talent platform and our new Discord server, follow us on InstagramTwitterLinkedInTelegramTikTok, and Threads, where we share breakdowns, the latest news, awesome artworks, and more.

Join discussion

Comments 0

    You might also like

    We need your consent

    We use cookies on this website to make your browsing experience better. By using the site you agree to our use of cookies.Learn more