A new cross-platform malware dubbed “GodLoader” has successfully infiltrated over 17,000 systems by leveraging the Godot game engine. This sophisticated threat, discovered by Check Point Research, operates across Windows, macOS, Linux, Android, and iOS platforms.
The malware utilizes Godot’s GDScript for malicious code execution and cleverly conceals itself within game engine .pck files, making detection particularly challenging. Its primary payload includes the XMRig cryptocurrency miner.
Distribution Strategy
The threat actor, known as Stargazer Goblin, orchestrated the attack through the Stargazers Ghost Network, employing over 200 GitHub repositories and 225+ controlled accounts. Four major attack waves targeted developers and gamers between September and October 2024, with the malware configuration being accessed more than 206,913 times.
Impact and Scope
– Successfully evaded most antivirus detection systems
– Affected all major operating systems
– Exploited legitimate open-source platforms
– Generated over $100,000 in malware distribution revenue
The emergence of GodLoader represents a significant evolution in malware tactics, demonstrating how threat actors can weaponize trusted game development tools for malicious purposes. This attack has exposed critical vulnerabilities in gaming software deployment security, prompting increased concern within the cybersecurity community.