Godot Engine: New Tool in Mass Hacking Arsenal

Hackers Exploit Godot Game Engine to Spread Malware
Hackers have utilized a new malicious tool called Godloader, based on the Godot game engine, to bypass antivirus systems and infect computers belonging to gamers and developers. Within a span of three months, the attackers successfully compromised over 17,000 devices, as detailed in a report by Check Point researchers. Godot is a robust open-source game engine renowned for its cross-platform functionality and support for 2D and 3D graphics. Its flexibility, intuitive interface, and lack of licensing fees have made it a popular choice among independent developers and small studios. Godloader targets devices operating on Windows, MacOS, Linux, Android, and iOS by leveraging the capabilities of Godot and its GDSCRIPT language to execute malicious code. This code is embedded within files in the “.pck” format, typically used for game resources, enabling the attackers to bypass security measures. Upon execution, these files trigger malicious commands, granting the attackers access to victim data. Compromised accounts are used to download additional malware, such as the XMRIG miner, with its configuration shared over 200,000 times on Pastebin. Both developers and gamers who downloaded infected programs fell victim to these attacks, which were carried out in four waves spanning from September 12 to October 3, 2024. The distribution of Godloader was facilitated through the Stargazers Ghost Network, a Distribution-as-a-Service (DAAS) platform that disguises itself within legitimate Github repositories. More than 200 repositories were used for the attacks, created using 225 fictitious accounts within the larger network of over 3,000 fake GitHub accounts. In response, Godot developers clarified that the vulnerability is not inherent to the game engine itself. They likened Godot to Python or Ruby, stating that like these programming languages, Godot can be used for both legitimate and malicious purposes. Users can protect themselves by refraining from launching third-party files. This incident underscores how even benevolent tools can be manipulated into weapons against their intended users. It serves as a reminder of the importance of thoroughly vetting all downloaded content, regardless of the platform of distribution.

Hackers Exploit Godot Game Engine to Spread Malware

Hackers have utilized a new malicious tool called Godloader, based on the Godot game engine, to bypass antivirus systems and infect computers belonging to gamers and developers. Within a span of three months, the attackers successfully compromised over 17,000 devices, as detailed in a report by Check Point researchers.

Godot is a robust open-source game engine renowned for its cross-platform functionality and support for 2D and 3D graphics. Its flexibility, intuitive interface, and lack of licensing fees have made it a popular choice among independent developers and small studios.

Godloader targets devices operating on Windows, MacOS, Linux, Android, and iOS by leveraging the capabilities of Godot and its GDSCRIPT language to execute malicious code. This code is embedded within files in the “.pck” format, typically used for game resources, enabling the attackers to bypass security measures.

Upon execution, these files trigger malicious commands, granting the attackers access to victim data. Compromised accounts are used to download additional malware, such as the XMRIG miner, with its configuration shared over 200,000 times on Pastebin.

Both developers and gamers who downloaded infected programs fell victim to these attacks, which were carried out in four waves spanning from September 12 to October 3, 2024.

The distribution of Godloader was facilitated through the Stargazers Ghost Network, a Distribution-as-a-Service (DAAS) platform that disguises itself within legitimate Github repositories. More than 200 repositories were used for the attacks, created using 225 fictitious accounts within the larger network of over 3,000 fake GitHub accounts.

In response, Godot developers clarified that the vulnerability is not inherent to the game engine itself. They likened Godot to Python or Ruby, stating that like these programming languages, Godot can be used for both legitimate and malicious purposes. Users can protect themselves by refraining from launching third-party files.

This incident underscores how even benevolent tools can be manipulated into weapons against their intended users. It serves as a reminder of the importance of thoroughly vetting all downloaded content, regardless of the platform of distribution.

/Reports, release notes, official announcements.