Threat actors have weaponised the open-source Godot Engine, exploiting its scripting capabilities to execute sophisticated malware campaigns. Dubbed ‘GodLoader,’ this newly discovered malware has infected more than 17,000 systems since June 2024, leveraging the flexibility of Godot’s GDScript and eluding detection by most antivirus tools.
Godot Engine, popular among indie game developers for its ease of use and cross-platform capabilities, is now used to bundle and execute malicious GDScript code hidden within .pck files. These files, typically used to store game assets and scripts, are weaponised by embedding encrypted malicious scripts. When executed, the scripts trigger payload downloads and deploy malware.
The attack relies on GDScript’s inherent capabilities, which can control gameplay elements, interact with objects, and even execute system commands. Threat actors exploit these features to bypass traditional detection mechanisms, employing anti-sandboxing and anti-virtualisation techniques to avoid scrutiny.
This approach ensures high stealth, making detection particularly challenging.
Researchers say one of GodLoader’s alarming aspects is its cross-platform adaptability. While initial samples targeted Windows, proof-of-concept attacks on Linux and macOS demonstrated its potential reach.
Modifications for Android are feasible, though deploying on iOS is limited by Apple’s strict app policies. The malware’s cross-platform flexibility stems from Godot’s export capabilities, which allow seamless adaptation to multiple operating systems with minimal effort.
“The Godot Engine primarily functions as an execution environment for GDScript code. This technique can be demonstrated by using the original version of Godot on Linux and MacOS. An Android loader also seems possible but requires modifications to the Godot Engine. However, an iOS version is unlikely due to Apple’s strict App Store policies, which would make deployment challenging,” researchers wrote.
GodLoader is primarily distributed via the ‘Stargazers Ghost Network,’ a distribution-as-a-service (DaaS) platform. This network leverages GitHub repositories to masquerade malware as legitimate software. Since September 2024, over 196 repositories have been identified as GodLoader-related files, supported by over 225 fake GitHub accounts that star the repositories to lend them credibility.
The campaign unfolded in four distinct waves — on September 12, 14, 29, and October 3, 2024 — targeting developers, gamers, and general users. Each repository featured malicious files disguised as legitimate applications, tricking users into downloading them.
The malware archives, often updated by GitHub bots to appear recent, contained executable files and encrypted .pck files, which were decrypted upon execution to deploy malicious scripts.
The attacker took advantage of the Godot Engine’s ability to encrypt .pck file using an AES key. In earlier samples, researchers noticed that the malicious .pck files were embedded within the executable; later versions used external encrypted files for added stealth.
The malware’s high flow involves:
- Sandbox evasion: Technique such as checking for 3D Video Acceleration hardware or inspecting available system resources to avoid virtual environments.
- Privilege escalation: Using PowerShell scripts to gain admin access and disable Microsoft Defender protections.
- Payload execution: Downloading further payloads from legitimate platforms like Bitbucket, further obscuring their malicious intent.
Researchers observed comments in Russian within the GDScript code that suggested a possible origin of the attackers.
The campaign highlights a potential risk: the infection of legitimate Godot games. Threat actors could replace genuine .pck files with malicious versions or tamper with embedded pack sections within game executables. By obtaining the AES keys used for encryption, attackers could manipulate popular Godot-developed games, potentially targeting over 1.2 million players.
In response to the research, Godot Engine told BleepingComputer that Godot Engine is akin to a programming language and threat actors can write malicious codes using any programming language.
“Godot does not register a file handler for “.pck” files. This means that a malicious actor always has to ship the Godot runtime together with a .pck file. The user will always have to unpack the runtime together with the .pck to the same location and then execute the runtime,” Godot Engine to BleepingComputer. There is no way for a malicious actor to create a “one-click exploit”, barring other OS-level vulnerabilities. If such an OS-level vulnerability were used then Godot would not be a particularly attractive option due to the size of the runtime
Researchers urged users and organisations to encrypt .pck files with asymmetric algorithms, update systems and software, avoid unverified downloads from GitHub, and educate employees about phishing and malware risks.
In the News: Telegram’s Eye of God limits data under new Russian law