Attackers use Godot Engine to execute crafted GDScript code to deliver malware.
More than 17,000 gaming systems may have been breached in attacks involving the new GodLoader malware.
According Check Point, since at least June 29, 2024, “cyber-criminals have been taking advantage of Godot Engine to execute crafted GDScript code which triggers malicious commands and delivers malware.”
Undetected by most anti-virus tools on VirusTotal, it is possible that more than 17,000 machines have been infected in just a few months.
Intrusions commenced with the utilization of the
Stargazers Ghost Network malware distribution-as-a-service to distribute a malicious archive that unpacked GodLoader, which proceeded to execute GDScript code to deploy the XMRig cryptocurrency miner and other malicious payloads.
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
