Kaspersky researchers have identified a new remote access trojan (RAT) dubbed GodRAT, which has been targeting financial institutions and small-to-medium-sized businesses across the UAE, Hong Kong, Jordan, and Lebanon. The malware was initially spread through Skype messenger in the form of malicious screensaver files disguised as financial documents. Although this delivery method was used until March 2025, attackers have since shifted to alternative distribution channels.
According to Kaspersky’s Global Research and Analysis Team, GodRAT first surfaced in mid-2024, when its source code and builder were discovered in an archive uploaded to a public online scanner. The builder allows attackers to generate both executable and DLL payloads, masking them under legitimate process names such as svchost.exe or cmd.exe. The files can be compiled in various formats—including .exe, .com, .bat, .scr, and .pif—making them versatile for different attack scenarios.
To avoid detection, the attackers employed steganography, concealing shellcode inside images of financial data. Once executed, the hidden code retrieves GodRAT from a command-and-control server and establishes a TCP connection. The RAT then gathers system information such as the operating system version, process details, antivirus software installed, and user account information, before reporting back to its operators.
GodRAT is capable of running additional plugins. In observed intrusions, attackers used its FileManager plugin to navigate victim systems and installed password stealers to harvest credentials from Chrome and Microsoft Edge browsers. In some cases, they deployed AsyncRAT as a secondary implant to ensure persistent access.
Kaspersky researchers believe GodRAT is an evolution of AwesomePuppet, a RAT reported in 2023 and linked to the Winnti advanced persistent threat (APT) group. Code similarities, shared artifacts, and rare command-line parameters also tie GodRAT to the long-standing Gh0st RAT, first seen nearly two decades ago. Despite its age, Gh0st RAT’s codebase continues to be adapted and reused, underscoring how legacy malware families remain relevant when retooled for modern attacks.
For organizations and individuals, the discovery of GodRAT highlights the importance of basic security hygiene: keeping operating systems, browsers, and antivirus tools updated; enabling file extension visibility in Windows to spot suspicious files; and being cautious with unexpected attachments, especially those using extensions like .exe, .scr, or .vbs.
While GodRAT demonstrates how attackers recycle old malware foundations into new threats, its appearance also shows that many organizations still lack defenses against familiar techniques. For businesses, investing in modern endpoint detection and response (EDR) or extended detection and response (XDR) solutions remains a critical step to guard against evolving RAT campaigns.
