|

GodRAT Trojan Targets Trading Firms With Steganography and Gh0st RAT DNA: What Security Teams Need to Know Now

ByInnoVirtuoso

If you work in the markets, you already know: seconds matter, trust is currency, and the wrong click can cost millions. That’s why a newly uncovered malware campaign targeting trading and brokerage firms should have your full attention. It blends a 2008-era remote access trojan (Gh0st RAT) with modern stealth tricks like steganography—hiding malicious code inside images—and spreads via something as mundane as a Skype message.

Here’s the headline: a previously unreported remote access trojan dubbed “GodRAT” is hitting financial institutions in Hong Kong, the UAE, Lebanon, Malaysia, and Jordan. It masquerades as screen saver files (.SCR) carrying “financial documents,” and once inside your network, it quietly harvests data, pulls plugins, steals browser credentials, and can deliver secondary payloads like AsyncRAT. Activity has been observed through August 12, 2025.

Let’s unpack what’s happening, why it works, and what you should do before the next ping lands in your team’s DM.

What Is GodRAT? A Modern RAT Built on Old, Battle-Tested Code

GodRAT is a remote access trojan with a plugin-based architecture. It’s assessed to be based on Gh0st RAT—one of the most prolific RAT codebases ever, leaked publicly in 2008 and adopted by multiple Chinese-linked groups. According to fresh analysis, GodRAT likely evolved from a Gh0st-based backdoor known as AwesomePuppet (documented in 2023) and may be linked to the Winnti/APT41 threat cluster.

Why it matters: – Old codebases persist because they work. Attackers know EDR blind spots and how to blend into normal system behavior. – Plugin architecture means modular power. GodRAT can fetch new capabilities on demand—file management, credential theft, secondary trojans—without changing the core implant.

For background on these techniques and families, see: – MITRE ATT&CK: Steganography (T1027.003) – MITRE ATT&CK: DLL Search Order Hijacking / Side-Loading (T1574.002) – Overview of Gh0st RAT’s history by industry research: Gh0st RAT (Wikipedia)

The GodRAT Attack Chain, Step by Step

Think of GodRAT like a nested doll of deception. Each layer hides the next.

  1. Initial Lure via Skype Messenger – Attackers send malicious .SCR files disguised as financial documents through Skype chats. – Target: trading desks, investment analysts, back-office ops—anyone likely to open “urgent” financial attachments. – ATT&CK mapping: User Execution (T1204), Phishing/Content Delivery (T1566).
  2. Self-Extracting Screen Saver – The .SCR file is a self-extracting executable bundling multiple components. – It drops a legitimate executable plus a malicious DLL designed for side-loading. – ATT&CK mapping: Signed Binary Proxy Execution (T1218), DLL Side-Loading (T1574.002).
  3. Steganography in Images – The malicious DLL extracts shellcode hidden inside a .JPG file. – That shellcode reaches out to a command-and-control (C2) server to fetch the GodRAT payload. – ATT&CK mapping: Steganography (T1027.003), Obfuscated/Compressed Files and Information (T1027).

  4. C2 and Tasking – GodRAT communicates over TCP. – It collects host details (system info, installed antivirus) and reports in. – The C2 responds with instructions, such as:

    • Inject a plugin DLL into memory
    • Download-and-execute a file via CreateProcessA
    • Open a URL (even via Internet Explorer shell commands)
    • Close sockets and terminate to evade detection
    • ATT&CK mapping: Exfiltration Over C2 Channel (T1041), Command and Control over Application Layer Protocols (T1071 variants) or custom TCP.
  5. Plugins and Secondary Payloads – A FileManager plugin can enumerate drives, list and manipulate files, open folders, and search for file patterns. – Additional payloads seen: password stealers for Chrome and Edge, and the AsyncRAT trojan. – This staged approach enables deeper persistence and lateral movement over time.

Here’s why that matters: even if you catch the initial beacon, plugins can morph GodRAT’s behavior, making signature-based detection difficult and incident response more complex.

For a deeper dive into these techniques in the wild, see Kaspersky’s research portal: Securelist.

Why Trading and Brokerage Firms Are in the Crosshairs

Financial institutions are especially attractive because: – Data equals leverage: trade strategies, client lists, KYC files, and email archives all have resale or blackmail value. – High transaction volumes and time pressure: traders act fast. Attackers exploit urgency to push “document” lures. – Mixed tooling: chat platforms like Skype or Teams facilitate quick sharing—great for business, risky for security. – Regional targeting: recent activity focuses on Hong Kong, UAE, Lebanon, Malaysia, and Jordan—hubs with active trading ecosystems and cross-border connectivity.

If your daily workflow involves attachments from counterparties and brokers, you’re squarely in the risk zone. Attackers know that.

Steganography, Explained Simply (And How to Defend Against It)

Steganography hides data inside other data. In this case, shellcode is concealed within a benign-looking JPG. To a casual observer—or an email gateway scanning for malware—it’s just a photo.

Defensive reality check: – Traditional content filters might not flag images that carry encrypted payloads. – It’s not enough to block “.exe”; the malicious behavior unfolds across multiple files and processes.

Practical steps: – Inspect image files transferred via IM or email for unusual entropy or appended data segments (your EDR or sandbox should support this). – Use sandboxing that inspects runtime behavior, not only file signatures. – Monitor for processes that read image files and immediately allocate/execute memory (suspicious for business apps).

Resources: – MITRE ATT&CK: Steganography (T1027.003) – CISA guidance on malware defense and secure collaboration tools: CISA Malware Threats

DLL Side-Loading and Legitimate Binaries: The “Trust Piggyback”

GodRAT abuses legitimate Windows binaries to load malicious code—classic “living off the land.”

Observed behavior includes: – Dropping a legitimate executable and a malicious DLL into the same directory so the app “trusts” and loads the attacker’s DLL first. – Injecting into or misusing common binaries, including: – svchost.exe, cmd.exe, cscript.exe, curl.exe, wscript.exe – Third-party binaries like QQMusic.exe and QQScLauncher.exe in some build options

Why side-loading works: – Security tools may whitelist trusted binaries. – Analysts see a familiar process and look elsewhere.

Defensive moves: – Baseline where legitimate system binaries are executed from. Flag executions from non-standard paths (e.g., user temp folders). – Block or restrict execution of .SCR, .PIF, and .COM in enterprise contexts—these formats are rarely needed in modern workflows. – Apply application control (AppLocker, Windows Defender Application Control) and publisher rules to prevent unknown DLLs from loading. – Monitor for unusual command-line chains like: – legitimate.exe -> loads unknown DLL -> immediate network connection – wscript/cscript executing from user-writable directories

Microsoft guidance on DLL search order hijacking: Microsoft Learn: Dynamic-Link Library Security

What GodRAT Can Do Once It’s In

GodRAT’s core capabilities are consistent with a mature RAT:

  • System reconnaissance: Gather OS details, user info, AV presence.
  • File management: Enumerate drives, list directories, search for filenames, read/write/delete.
  • Plugin execution in memory: Load feature modules without touching disk.
  • Payload delivery: Download and run additional malware (e.g., AsyncRAT) with CreateProcessA.
  • Browser credential theft: Pull saved logins from Chrome and Edge via delivered stealers.
  • C2 control over TCP: Maintain persistence, receive tasks, exfiltrate data.

The net effect: hands-on-keyboard control for data theft, staging, and potentially disruptive actions. In a trading environment, that can extend to financial manipulation, fraud, or extortion.

For general visibility into commodity RATs and their behaviors, see: MITRE ATT&CK: Remote Services and RAT Patterns

Mapping GodRAT to MITRE ATT&CK (High-Level)

  • Initial Access: Phishing/Instant Messaging Attachments (T1566), User Execution (T1204)
  • Execution: DLL Side-Loading (T1574.002), Scripting (T1059 variants), CreateProcess API usage
  • Defense Evasion: Steganography (T1027.003), Signed Binary Proxy Execution (T1218)
  • Discovery: Security Software Discovery (T1518.001)
  • Credential Access: Credential from Web Browsers (T1555.003)
  • Command and Control: Application Layer or Custom Protocol over TCP (T1071 variants / custom C2)
  • Exfiltration: Exfiltration Over C2 Channel (T1041)

Explore ATT&CK technique details here: MITRE ATT&CK

Detection Strategies That Actually Work

Let’s move from theory to practical detection. Focus on behaviors, not just file hashes.

  1. Harden Channels and Formats – Block or quarantine .SCR, .PIF, and .COM at email and IM gateways. – Disable auto-downloads in Skype or other collaboration tools. – Enforce file-type controls that detect disguised extensions (e.g., “invoice.pdf.scr”).
  2. Hunt for Side-Loading Patterns – Alerts for known binaries executed from user-writable paths (Desktop, Downloads, AppData, Temp). – Watch for DLL loads from the executable’s working directory when that directory is not a signed program folder.

  3. Memory and Image Anomalies – EDR rules for processes:

    • Reading image files immediately followed by memory allocation and execution.
    • Spawning from non-standard parent-child relationships (e.g., wscript -> curl -> unknown EXE).
  4. Network Indicators – Unusual outbound TCP sessions to rare IPs shortly after opening a “document” or image. – Small beacon-like traffic with consistent intervals, followed by burst transfers when tasks arrive.
  5. Browser Credential Access – Monitor read events on browser credential stores outside normal browser lifecycles. – Alert when non-browser processes access Chrome/Edge profile paths.
  6. Sandbox Analysis – Detonate suspicious attachments and images in a sandbox capable of instrumentation across processes (look for CreateProcessA usage and file system enumeration artifacts). – Flag execution chains that start with .SCR files.

For more on malware detection best practices, review CISA’s guidance: CISA Malware Analysis Reports and VirusTotal for sample intelligence: VirusTotal.

Prevention for Financial Firms: Policy, People, and Platform

This campaign succeeds by exploiting normal business behavior. Your prevention program needs to match that reality.

  • Policy
  • Prohibit executable file types in chat platforms and email. Enforce with DLP and CASB controls.
  • Require sanctioned file-sharing portals for external documents with automatic malware scanning.
  • Enforce least privilege and restrict write/execute permissions in user directories.
  • People
  • Run targeted training for traders and operations teams. Use realistic simulations with “financial document” lures.
  • Teach staff to verify senders via a second channel (phone, internal IM) before opening urgent attachments.
  • Publish a simple, one-step reporting process for suspicious files in chat.
  • Platform
  • Implement application control (WDAC/AppLocker) with strict rules on unsigned DLL loading.
  • Use EDR with behavior analytics triggered by image steganography patterns and side-loading.
  • Segment high-risk tools (e.g., messaging apps) from trading systems via network micro-segmentation.
  • Turn on AMSI and script block logging; forward to your SIEM for correlation.

Microsoft enterprise hardening guidance: Microsoft Security Baselines

Rapid Response Playbook (If You Suspect GodRAT)

If you see signs of suspicious .SCR activity or side-loading, move quickly and surgically.

  1. Isolate – Quarantine the endpoints with the suspected .SCR execution. – Block observed outbound TCP destinations at the firewall.
  2. Verify and Scope – Pull EDR timelines: parent process, child process, DLL loads, image file access, CreateProcessA calls. – Look for browser credential access and unusual file enumeration.
  3. Contain – Kill suspicious processes; revoke tokens/sessions. – Invalidate cached credentials; rotate passwords and enforce MFA resets for affected users.
  4. Eradicate – Remove malicious DLLs and any dropped payloads. – Reimage systems that show memory-only plugin activity (to avoid missed artifacts).
  5. Recover – Restore from known-good backups. – Re-enable network access gradually with heightened monitoring.
  6. Report and Improve – If you operate in regulated markets, align with incident reporting obligations (e.g., SEC/FINRA, SFC Hong Kong, MAS Singapore, local regulators). – Update detection rules, gateway blocks, and user training scenarios based on learned TTPs.

CISA’s incident response resources: CISA Incident Response Playbooks

The Bigger Picture: Old Code, New Tricks, Same Mission

GodRAT is a reminder that in cybercrime, “legacy” doesn’t mean “harmless.” Gh0st RAT-era implants are still effective when paired with modern delivery and evasion techniques like steganography and DLL side-loading. Attackers are pragmatic. They use what works and wrap it in today’s lures and tooling.

For security teams in finance, the takeaways are clear: – Control your collaboration channels. IM is a favored on-ramp. – Shift left on prevention (file-type bans, app control) and right-size detection to behaviors, not signatures. – Assume modularity. If you found one plugin, there may be more.

Quick Checklist for Security Teams

  • Block .SCR, .PIF, .COM at email/IM gateways.
  • Restrict execution of unsigned code from user paths.
  • Monitor image file access followed by memory execution.
  • Hunt for DLL side-loading using non-standard directories.
  • Watch for CreateProcessA spawning unknown binaries post-attachment open.
  • Alert on credential store access by non-browser processes.
  • Educate traders/ops on IM-based document lures.
  • Prepare a two-hour containment drill for RAT infections.

FAQs

Q: What is GodRAT? A: GodRAT is a plugin-based remote access trojan targeting financial institutions. It’s built on code associated with Gh0st RAT and can download plugins, manage files, steal browser credentials, and deploy additional malware like AsyncRAT.

Q: How does GodRAT infect systems? A: The campaign sends .SCR files disguised as financial documents via Skype. The screen saver acts as a self-extracting archive, side-loads a malicious DLL, extracts shellcode hidden in a JPG (steganography), and then downloads the main payload from a C2 server.

Q: Why is steganography effective in malware? A: It hides code inside normal-looking files like images, making it harder for traditional scanners to detect. Defenders need behavioral detection and sandboxing to catch the execution patterns.

Q: Is this linked to Gh0st RAT or APT41 (Winnti)? A: GodRAT reuses Gh0st RAT code and likely evolved from AwesomePuppet, a Gh0st-based backdoor. Research suggests ties to the Winnti/APT41 ecosystem, known for using modular implants.

Q: Which regions are being targeted? A: Observed targeting includes Hong Kong, the United Arab Emirates, Lebanon, Malaysia, and Jordan, with activity noted through August 12, 2025.

Q: Can standard antivirus stop GodRAT? A: It depends. Some detections will trigger, but the campaign’s use of steganography, DLL side-loading, and legitimate binaries helps it evade basic defenses. EDR with behavior analytics and application control significantly improves detection.

Q: How can we block these attacks at the source? A: Start by blocking executable file types (.SCR, .PIF, .COM) over email and IM. Use CASB/DLP to enforce safe-sharing channels, and apply application control to prevent unsigned DLL loading. Train users to verify “urgent” document shares.

Q: Does Skype itself have a vulnerability here? A: This is not about a Skype vulnerability. Attackers are using Skype as a delivery channel because it’s trusted and convenient. The risk is social engineering and permissive file policies.

Q: What should we look for in our logs? A: Flags include .SCR execution, legitimate binaries running from user directories, unknown DLL loads, image file reads followed by memory execution, CreateProcessA spawns, and non-browser access to browser credential stores.

For more on the techniques referenced, explore MITRE’s knowledge base: MITRE ATT&CK.

Final Takeaway

GodRAT proves that classic RAT code, wrapped in modern stealth like steganography and DLL side-loading, still pierces financial defenses—especially when business chat apps are open to executable attachments. If you secure trading or brokerage environments, tighten file policies on collaboration tools, enable behavior-based EDR detections, and practice a rapid containment playbook now. The cost of clicking “Open” on the wrong “statement” or “invoice” can be steep.

If you found this useful, subscribe for more actionable threat breakdowns and defense playbooks tailored to high-stakes financial operations.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring! 

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Read more related Articles at InnoVirtuoso

InnoVirtuoso

Hello there! I'm passionate content writer navigating the digital landscape. With a deep love for words and an insatiable curiosity about technology.

With 10 years of experience in IT field, I write mostly about emerging tech, sharing news, informational articles and covering other topics I find interesting.

Let's craft the future of content together – one word at a time!

Browse InnoVirtuoso for more!