Cybercriminals have turned the widely used Godot Engine into a tool for delivering malware through a campaign dubbed “GodLoader.” Since June 2024, over 17,000 devices have been compromised using this strategy, researchers revealed.
Attackers exploit Godot’s scripting language, GDScript, to execute malicious commands and deploy malware. This tactic has gone undetected by nearly all antivirus solutions, highlighting the sophistication of the operation.
Godot, a popular open-source platform for developing 2D and 3D games, supports multiple systems, including Windows, macOS, Linux, Android, and game consoles like PlayStation and Xbox. Its versatility has made it an appealing tool for malicious actors to target users across various platforms.
A report noted that the GodLoader malware campaign uses over 200 fake GitHub repositories and 225 accounts to distribute its payloads. These repositories, disguised as legitimate, use Godot Engine executables (.PCK files) to drop malware such as RedLine Stealer and XMRig cryptocurrency miners.
This malware bypasses security mechanisms by excluding the entire C:\ drive from Microsoft Defender scans and evading detection in sandboxed environments.
Although the primary focus has been Windows systems, researchers warn that adapting the malware for macOS and Linux is relatively straightforward. Additionally, attackers may escalate their efforts by tampering with legitimate Godot-built games to distribute malware.
The Godot team emphasized that any programming language could create malicious software. They urged users to download verified, signed executables and avoid cracked software. To counteract such threats, they recommended implementing asymmetric-key encryption for enhanced security.
To protect against such attacks, users must remain vigilant. Always download software from official or trusted sources, ensuring they are properly signed. Avoid cracked or unauthorized versions of software, as these often serve as entry points for malware.
Developers can enhance security by adopting robust encryption methods, such as asymmetric cryptography, to safeguard their code. Keeping antivirus software updated and monitoring unusual system behavior are also crucial steps to defend against evolving cyber threats.