Gh0st RAT-based GodRAT attacks financial organizations

Aug. 19, 2025, 9:20 p.m.

Description

A newly identified Remote Access Trojan named GodRAT, based on the Gh0st RAT codebase, has been targeting financial firms since September 2024. The attackers distribute malicious .scr files via Skype, using steganography to embed shellcode in images. GodRAT supports plugins and is used alongside browser password stealers and AsyncRAT. The campaign, likely an evolution of the AwesomePuppet RAT connected to Winnti APT, remains active as of August 2025. Targets include organizations in Hong Kong, United Arab Emirates, Lebanon, Malaysia, and Jordan. The attackers employ various techniques to evade detection and maintain persistent access to compromised systems.

External References

https://securelist.com/godrat/117119
https://otx.alienvault.com/pulse/68a4a146413d549dcd9b3dac
Tags
steganography
asyncrat
gh0st rat
financial-sector
2025-08-19
skype
password-stealer
awesomepuppet
ms edge password stealer
godrat
chrome password stealer

Date

  • Created: Aug. 19, 2025, 4:07 p.m.
  • Published: Aug. 19, 2025, 4:07 p.m.
  • Modified: Aug. 19, 2025, 9:20 p.m.

Attack Patterns

  • MS Edge password stealer
  • Chrome password stealer
  • GodRAT
  • AsyncRAT
  • Winnti

Additional Informations

  • Finance
  • Lebanon
  • Hong Kong
  • Jordan
  • United Arab Emirates
  • Malaysia