Executive Summary

  • Check Point Research discovered a new technique using Godot Engine, a popular open-source game engine, to execute malicious code that executes nefarious commands and delivers malware and largely remains undetected.
  • This innovative method enables cybercriminals to compromise devices across different platforms, including Windows, macOS, Linux, Android, and iOS.
  • The Stargazers Ghost Network, a GitHub network that distributes malware as a service, distributes the malicious code and, in just three months, has infected over 17,000 machines.
  • Potential attack scenarios can impact over 1.2 million users’ games developed with Godot by exploiting legitimate Godot executables to load harmful content through mods or other downloadable content.

In the ever-evolving landscape of cyber threats, cybercriminals continually enhance their tactics to achieve higher infection rates and remain under the radar of cyber security systems. A recent discovery by Check Point Research has unveiled a chilling new trend that takes advantage of gaming engines, specifically their scripts. A popular open-source game engine, Godot Engine, has been exploited by threat actors to run malicious scripts called GodLoader and drop payloads, resulting in the infection of over 17,000 machines. This innovative technique enables attackers to carry out credential theft and deploy ransomware, posing significant risks to the 1.2 million users of Godot-developed games.

Here, we will describe how threat actors leverage Godot Engine, how the malware is distributed, and its potential to infect more players of Godot-developed games.

Understanding the Godot Gaming Engine

Godot Engine is an open-source game development platform revered for its flexibility and comprehensive toolset. Designed for creating both 2D and 3D games, it supports various export formats, facilitating the reach of developers to platforms such as Windows, macOS, Linux, Android, iOS, and HTML5. With a user-friendly interface and a Python-like scripting language called GDScript, Godot empowers developers of all levels. Additionally, its active community of over 2,700 contributors and 80,000 followers on social media highlights its popularity and dedicated support. However, this very appeal is now being exploited by cybercriminals.

The GodLoader Technique 

Threat actors have utilized Godot’s scripting capabilities to create custom loaders, called GodLoader, that remain undetected by many conventional security solutions. Since Godot’s architecture allows platform-agnostic payload delivery, attackers can easily deploy malicious code across Windows, Linux, and macOS, sometimes even exploring Android options. Additionally, the simplicity of GDScript, combined with Godot’s ability to integrate into various operating systems, enables attackers to bypass traditional detection methods.

Since June 29, 2024, a new technique utilizing the malicious GodLoader has evaded detection by most antivirus tools, reportedly infecting more than 17,000 machines within three to four months.

Mechanism of Attack 

The exploitation of the Godot Engine hinges on its use of .pck files, which bundle game assets, including scripts and scenes, for distribution. When these files are loaded, the malicious GDScript can be executed through the built-in callback function. This feature gives attackers many possibilities, from downloading additional malware to executing remote payloads—all while remaining undetected. Since GDScript is a fully functional language, threat actors have many functions like anti-sandbox, anti-virtual machine measures, and remote payload execution, enabling the malware to remain undetected. While the initial samples have targeted Windows systems, the cross-platform nature of Godot means that other operating systems could also be at risk.

Spreading GodLoader

The loader leverages the Stargazers Ghost Network, a sophisticated Distribution as a Service (DaaS) framework that masquerades malware delivery through seemingly legitimate GitHub repositories. From September to October 2024, GodLoader was distributed via 200 repositories, supported by over 225 Stargazer Ghost accounts that have artificially boosted the visibility of these malicious repositories by staring them. This approach creates an illusion of legitimacy, enticing unsuspecting developers and gamers to become victims.

The repositories were distributed and released into four separate waves, primarily targeting developers and gamers.

The Implications for Developers and Gamers 

The implications of this new threat are substantial. With developers often accessing and utilizing open-source platforms like Godot Engine for game development, the possibility of unwittingly incorporating malicious code into their projects becomes a credible concern. The risk is also heightened for gamers as they download and install games that may have been crafted with compromised tools.

Additionally, the threat actor behind this attack distributed GodLoader using Stargazers Ghost Network, demonstrating a high level of sophistication and success in its campaigns. The network exploits trust in open-source and legitimate software repositories to distribute malware discreetly. By masquerading as reputable applications or tools, the network attracts unsuspecting users who download and install what they believe to be safe software. This approach allows the malware to spread widely and rapidly, with thousands of users affected relatively quickly.

Employing a focused distribution strategy alongside a covert, undetectable method has significantly increased infection rates. This multi-platform technique boosts the malware’s adaptability, providing cybercriminals with a formidable resource that can seamlessly target various operating systems. As a result, attackers can deploy malware more efficiently across diverse devices, amplifying their reach and effectiveness.

Strengthening Cyber security: Navigating the Threat of GodLoader and Beyond

The GodLoader technique represents a significant step in the direction of more covert and sophisticated malicious activities. To reduce the risks of such threats, it’s essential to regularly update operating systems and applications with timely patches and other measures. Users should be wary of unexpected emails or messages that include links, especially from unknown sources while increasing cybersecurity awareness is vital to fostering a more alert and cautious culture. Finally, contacting security experts for questions or concerns can offer valuable insights and support in addressing possible security issues.

Check Point’s Threat Emulation and Harmony Endpoint provide protection against diverse attack methods, file types, and operating systems, such as this type of attack and malware families described in this report. Threat Emulation assesses files to detect malicious activity before they can breach an end user’s network, effectively uncovering unknown threats and zero-day vulnerabilities. When combined with Harmony Endpoint, which performs real-time file analysis, Threat Emulation evaluates each file, allowing users to quickly access a secure version while the original file undergoes a detailed examination. This proactive strategy not only enhances security by providing rapid access to safe content but also systematically identifies and addresses potential threats, thus preserving the integrity of the network.

The team at Godot provided a statement for this report :

As the report states, the vulnerability is not specific to Godot. The Godot Engine is a programming system with a scripting language. It is akin to, for instance, the Python and Ruby runtimes. It is possible to write malicious programs in any programming language. We do not believe that Godot is particularly more or less suited to do so than other such programs.

If you downloaded a Godot game or the editor from a reliable source, you don’t have to do anything. You are not at risk.

We encourage people to only execute software from trusted sources.

Learn more about the malware, how it spreads, and the evasion techniques in Check Point Research’s technical analysis.

https://research.checkpoint.com/2024/the exploitation of gaming engines/

Protection

  • Technique.win.GDscript.*

You may also like