The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

GodRAT

Aug 25, 2025 2:36:30 PM / by The Hivemind

GODRAT2025Verticals Targeted: Financial
Regions Targeted: Hong Kong, United Arab Emirates, Lebanon, Malaysia, Jordan
Related Families: AsyncRAT, AwesomePuppet, Gh0st RAT

Executive Summary

GodRAT is a RAT derived from the Gh0st RAT codebase. It was observed targeting financial institutions via malicious .scr and .pif files distributed through Skype. Leveraging steganography and additional plugins like FileManager, GodRAT facilitates credential theft and system exploration.

Key Takeaways

  • GodRAT uses steganography to hide shellcode in image files, evading detection.  
  • The malware targets financial institutions, deploying browser password stealers and AsyncRAT for persistent access.  
  • The FileManager plugin enables extensive file system manipulation and data collection.  
  • GodRAT shares code similarities with AwesomePuppet.

What is GodRAT?

GodRAT is a Remote Access Trojan (RAT) observed targeting financial institutions, specifically trading and brokerage firms, through malicious .scr (screen saver) and .pif (Program Information File) files masquerading as financial documents. These files were distributed via Skype messenger, exploiting the platform’s trust to deliver payloads. Built on the Gh0st RAT codebase, GodRAT employs advanced techniques like steganography to conceal shellcode within image files, enabling it to bypass traditional security measures. Securelist reported on this activity. 

GodRAT’s infection chain begins with shellcode loaders, which execute malicious code by injecting it into their own processes. One loader XOR-decodes embedded shellcode using a hardcoded key and maps it into process memory for execution. Another loader extracts shellcode from an image file, using a legitimate executable signed with an expired DigiCert certificate. This certificate adds a layer of perceived legitimacy to the attack.

The shellcode searches for the string “godinfo,” decoding configuration data with a single-byte XOR key to retrieve the Command-and-Control (C2) server’s IP, port, and module command line. It connects to the C2 server, transmitting “GETGOD” to download a second-stage shellcode containing a UPX-packed GodRAT DLL. This DLL, executed via the exported “run” function, can inject itself into processes like curl.exe or cmd.exe using the “-Puppet” parameter, a trait shared with the AwesomePuppet RAT.

GodRAT’s functionality includes collecting victim data, such as OS details, hostname, process information, and antivirus presence, which is zlib-compressed, XOR-encoded, and sent to the C2 server with a 15-byte header. The RAT supports commands to inject plugins, download and execute files, open URLs, and manipulate the file system. The FileManager plugin is particularly versatile, enabling attackers to list files, read/write data, delete files, create directories, and execute commands via a hidden 7zip utility.

In addition to GodRAT, attackers deploy AsyncRAT as a secondary implant. AsyncRAT, written in C#, bypasses security checks by patching AMSI and ETW functions, ensuring persistent access. The attackers also use Chrome and Microsoft Edge password stealers to extract credentials from browser databases.

GodRAT’s distribution targeted regions including Hong Kong, the United Arab Emirates, Lebanon, Malaysia, and Jordan, with detections recorded as recently as August 12, 2025. The malware’s source code, originally discovered in July 2024, reveals its origins in the Gh0st RAT framework, with identical UID generation to Gh0st RAT’s “gh0st.h” file. The included builder allows customization of payloads, supporting executable injection into legitimate processes like svchost.exe or curl.exe.

The similarities between GodRAT and AwesomePuppet, including the “-Puppet” parameter and code structure, strongly suggest that GodRAT is an evolution of AwesomePuppet, potentially tied to the China nexus threat actor group known as Winnti. This connection underscores the persistence of legacy codebases like Gh0st RAT, which continue to be adapted for modern attacks.

IOCs

PolySwarm has multiple samples of GodRAT.

 

E26efc253a47bf311abff125f53f860c0cabaa58592b3407de1380a6d3170265

48d0d162bd408f32f8909d08b8e60a21b49db02380a13d366802d22d4250c4e7

Da34b4041090eafb852985866dd9fc5c435b5654a4c671a2c7f73be2804e2c22

 

PolySwarm also has a sample of AsyncRAT, used as a secondary implant in the reported GodRAT activity.

 

Ed1dfd2e913e1c53d9f9ab5b418f84e0f401abfdf8e3349e1fcfc98663dcb23f

 

You can use the following CLI command to search for all GodRAT samples in our portal:

$ polyswarm link list -f GodRAT

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

 

Topics: Threat Bulletin, AsyncRAT, Gh0st RAT, password stealer, shellcode injector, GodRAT, Remote Access Trojan, financial malware, steganography, FileManager plugin

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More