- Criminals found using Skype to deliver images hiding malware
- Victims were mostly SMBs in the Middle East
- The malware is new, but seems to have distant relatives
Cybercriminals have been found using Skype messenger to deliver Remote Access Trojans (RAT) malware, compromising victim’s computers and opening the doors for devastating stage-two attacks.
Cybersecurity researchers at Kaspersky recently uncovered a previously unseen malware variant called GodRAT being distributed via malicious screensaver files, disguised as financial documents.
Unusually, the miscreants were delivering the malware to their victims via Skype messenger until March 2025, when they pivoted to other channels.
GodRAT malware being spread
First off, the hackers would share fake financial data in an image file. By using steganography, they would hide shellcode in the files which, when activated, downloads the GodRAT malware from a third-party server.
The RAT harvests operating system details, local hostname, malware process name and process ID, the user account associated with the malware process, installed antivirus software, and the presence of a capture driver.
After that, GodRAT can receive additional plugins, depending on the initial information shared with the attackers. These plugins can be file explorers, or password stealers.
In some cases, the crooks used GodRAT to deploy AsyncRAT, a secondary implant that granted them prolonged, if not permanent, access.
“GodRAT appears to be an evolution of AwesomePuppet, which was reported by Kaspersky in 2023 and is likely linked to the Winnti APT. Its distribution methods, rare command-line parameters, code similarities with Gh0st RAT, and shared artifacts – such as a distinctive fingerprint header – suggest a common origin,” said Saurabh Sharma, Security Researcher at Kaspersky GReAT.
“The discovery of GodRAT demonstrates how such long-known tools can remain relevant in today’s cybersecurity landscape,”
Kaspersky did not discuss the number of victims, or potential success rate of the campaign, but it did stress that the victims were mostly small and medium-sized businesses (SMB) in UAE, Hong Kong, Jordan, and Lebanon.