Financial institutions such as trading and brokerage companies are targeting new campaigns offering previously unreported remote access trojans. Godrut.
Malicious activities include “distribution of malicious .SCR (screensaver) files disguised into financial documents via Skype Messenger.”
The attack, which became active on August 12, 2025, employs a technique called Steganography to hide it within the image file shellcode used to download malware from a command and control (C2) server. Screensaver artifacts have been detected since September 9, 2024 and are targeting countries and territories such as Hong Kong, the United Arab Emirates, Lebanon, Malaysia and Jordan.
GoDrat is rated as being based on GH0st rats and follows a plugin-based approach that enhances functionality to harvest sensitive information and provide secondary payloads like Asyncrat. It is worth mentioning that Gh0st rats publicly leaked their source code in 2008 and have since been adopted by various Chinese hacking groups.
The Russian cybersecurity company said the malware is another GH0st rat-based backdoor evolution known as Awesome Puppet, first documented in 2023, and is considered to be the handiwork of prolific Chinese threat actor Winnti (aka APT41).
Screen Saver files act as self-extracting executables that incorporate a variety of embedded files, including secondary DLLs by legitimate executables. The DLL extracts the hidden shellcode within the .jpg image file, paving the way for Godrat to unfold.
The Trojan establishes communication with the C2 server over TCP, gathers system information, and pulls out a list of antivirus software installed on the host. The captured details are sent to the C2 server, and the server then responds with a follow-up procedure that allows it –
- Inject the received plugin DLL into memory
- Close the socket and exit the rat process
- Download the file from the provided URL and launch it using the CreateProcessa API
- Open a specific URL using a shell command to open Internet Explorer
One plugin downloaded by the malware is a FileManager DLL that allows you to enumerate file systems, perform file operations, perform open folders, and perform searches for files at specified locations. This plugin is also used to deliver additional payloads, such as Google Chrome, Microsoft Edge browsers and password steelers for Asyncrat Trojan.
Kaspersky said it discovered the complete source code for the Godrat client and builder that was uploaded to the Virustotal Online Malware scanner in late July 2024. The builder can be used to generate either an executable or an A DLL.
When the executable option is selected, the user chooses to select the legitimate binaries from the list where malicious code is injected into svchost.exe, cmd.exe, cscript.exe, curl.exe, wscript.exe, qqmusic.exe and qqsclauncher.exe. The final payload can be saved in one of the following file types: .exe, .com, .bat, .scr, and .pif.
“Older implant codebases such as GH0st rats from nearly 20 years ago continue to be used today,” Kaspersky says. “These are often customized and rebuilt to target a wide range of victims.”
“These older implants are known to have been used for a long time by a variety of threat actors, and Godrat’s findings show that legacy codebases like the GH0st rats can still maintain long lifespans in cybersecurity landscapes.”
