New GodRAT: Utilizing Screen Savers and Program Files for Targeted Organizational Attacks

A sophisticated new Remote Access Trojan named GodRAT has emerged as a significant threat to financial institutions, utilising deceptive screen saver files and advanced steganographic techniques to infiltrate organisational networks. First detected in September 2024, this malware campaign has shown remarkable persistence, with the most recent attacks observed as recently as August 12, 2025, indicating an ongoing and evolving threat landscape. The threat actors behind GodRAT have employed a multi-faceted distribution strategy, primarily targeting trading and brokerage firms through Skype Messenger. Their approach involves disguising malicious .scr (screen saver) and .pif (Program Information File) files as legitimate financial documents, exploiting the trust inherent in business communications. Analysts from Securelist have identified GodRAT as an evolution of the previously documented AwesomePuppet RAT, both sharing the same underlying Gh0st RAT codebase foundation.

The geographic distribution of GodRAT has been particularly focused on regions such as Hong Kong, the United Arab Emirates, Jordan, Lebanon, and Malaysia, indicating a targeted approach toward specific financial markets. The attack timeline reveals a calculated escalation, beginning with initial detections in Hong Kong and expanding to multiple Middle Eastern territories. The threat actors have demonstrated operational flexibility by adapting their file naming conventions to match regional language preferences and business contexts, including Chinese and Indonesian language variants designed to blend seamlessly with local business communications. GodRAT’s most notable technical innovation lies in its sophisticated steganographic payload delivery system, which represents a significant advancement in malware distribution techniques. The malware employs a two-stage shellcode loader architecture, with the secondary loader extracting hidden shellcode from embedded image files that appear to contain legitimate financial data. 

Categories: Malware Threats, Financial Sector Security, Steganography Techniques 

Tags: GodRAT, Remote Access Trojan, Financial Institutions, Steganographic Techniques, Malware Campaign, Trading Firms, Shellcode, Geographic Distribution, Operational Flexibility, Advanced Infection Mechanism