A new cyber-attack technique leveraging the Godot Gaming Engine to execute undetectable malware has been reported by Check Point Research.
Using maliciously crafted GDScript code, threat actors deployed malware via “GodLoader,” bypassing most antivirus detections and infecting over 17,000 devices since June 2024.
In a statement, the Godot security team said, “Based on the report, affected users thought they were downloading and executing cracks for paid software, but instead executed the malware loader.”
The Godot Engine, widely known for creating 2D and 3D games, is recognized for its versatility and cross-platform capabilities. It allows game developers to bundle assets and executable scripts into .pck files. Threat actors exploited this functionality by embedding malicious GDScript code in these files, enabling malware execution when loaded.
The distribution of GodLoader occurred through the Stargazers Ghost Network, a malware-as-a-service platform. Between September and October 2024, 200 GitHub repositories were used to deliver infected files, targeting gamers, developers and general users.
The repositories mimicked legitimate software repositories, leveraging GitHub actions to appear frequently updated and gain credibility.
How the Attack Works
According to a new advisory published by Check Point Research (CPR) on Wednesday, these are the highlights of the new technique:
- Malicious .pck files: Threat actors inject harmful scripts into Godot’s .pck files, exploiting its scripting capabilities
- Cross-platform potential: While initially targeting Windows, GodLoader’s design facilitates its use on Linux and macOS with minimal adjustments
- Evasion tactics: The malware employs sandbox and virtual machine detection, as well as Microsoft Defender exclusions, to avoid analysis and detection
Notably, the GodLoader payloads were hosted on Bitbucket.org and distributed across four attack waves.
Each campaign involved malicious archives downloaded thousands of times. Initial payloads included RedLine Stealer and XMRig cryptocurrency miners, with threat actors continuously evolving their tactics for greater evasion.
Godot’s security team said that the Gaming Engine does not register a file handler for .pck files. This means that a malicious actor always has to ship the Godot runtime (.exe file) together with a .pck file.
There is no way for a malicious actor to create a “one-click exploit”, barring other OS-level vulnerabilities.
Potential Risks and Mitigation Strategies
CPR experts warned of a possible next phase involving the infection of legitimate Godot-developed games.
By replacing original .pck files or sections within executables, attackers could target a vast player base. While not yet observed, this scenario underscores the need for robust encryption and asymmetric key methods to secure game data.
To reduce risks, developers should also ensure software and systems are up to date, exercise caution with unfamiliar repositories and downloads, and increase cybersecurity awareness within organizations.
In a statement, the Godot security team said, “Users who merely have a Godot game or editor installed on their system are not specifically at risk. We encourage people to only execute software from trusted sources – whether it’s written using Godot or any other programming system.”
They added, “We thank Check Point Research for following the security guidelines of responsible disclosure, which let us confirm that this attack vector, while unfortunate, is not specific to Godot and does not expose a vulnerability in the engine or for its users.”