A widely used open-source game development platform, Godot Engine, has become the target of cybercriminals in a malware campaign named GodLoader, which has infected over 17,000 systems since June 2024.
“Threat actors are exploiting the flexibility of Godot’s scripting language, GDScript, to execute malicious commands and deliver malware payloads,” said Check Point researchers in a detailed analysis released Wednesday. “This innovative approach bypasses detection by almost all antivirus tools on VirusTotal.”
The misuse of legitimate platforms like Godot Engine highlights how attackers continue to develop advanced techniques to evade detection, even as cybersecurity defenses evolve.
Cross-Platform Appeal of Godot Engine
Godot Engine, popular for developing 2D and 3D games across platforms like Windows, macOS, Linux, Android, and iOS, is being weaponized to launch cross-platform malware attacks. The multi-platform support of the engine allows attackers to broaden their reach and infect diverse devices, significantly increasing the scale of their operations.
“The adaptability of Godot Engine makes it a double-edged sword,” said Eli Smadja, security research group manager at Check Point Software Technologies. “While it’s a powerful tool for game developers, it’s equally appealing to cybercriminals who exploit its open-source nature to spread malware like GodLoader. For the 1.2 million users of Godot-built games, the impact extends beyond device compromise to the integrity of the gaming ecosystem itself.”
The GodLoader Campaign: Techniques and Targets
The GodLoader malware campaign uses Stargazers Ghost Network, a network of 200 GitHub repositories and over 225 fraudulent accounts, to distribute malware. These repositories, often starred by fake accounts, create an illusion of legitimacy.
Attacks linked to this campaign were observed on September 12, 14, 29, and October 3, 2024. The method involves using Godot Engine executables (or .PCK files) to deploy GodLoader. The loader then downloads additional payloads like RedLine Stealer and XMRig cryptocurrency miner from a Bitbucket repository.
The malware is designed to evade detection by security tools, bypass sandbox analysis, and even manipulate Microsoft Defender Antivirus settings to exclude the entire C:\ drive, ensuring the malware remains undetected.
Expanding the Attack Surface
Although the current attacks primarily target Windows systems, researchers noted that adapting the malware for macOS and Linux is straightforward. There is also potential for attackers to tamper with legitimate Godot-built games by obtaining encryption keys, further increasing the threat.
Check Point has suggested switching to asymmetric encryption algorithms to prevent such attacks, emphasizing the need for robust security measures in open-source platforms.
Lessons for Users and Developers
This campaign is yet another reminder that cybercriminals often exploit trusted platforms and services to evade detection. Users are urged to download software only from official and trusted sources.
“Godot’s architecture enables attackers to deliver platform-agnostic payloads, increasing the versatility of their malware,” the researchers added. “The combination of targeted delivery methods and undetectable techniques has resulted in a highly successful malware campaign.”
As cybercriminals continue to evolve, proactive cross-platform cybersecurity measures will be crucial to safeguard users and prevent further exploitation of trusted platforms like Godot.
