Trojan GodRAT Disguised as Financial Documents

Red Dog Security

21 Aug 2025 — 1 min read

A new Remote Access Trojan (RAT) is being distributed through malicious .scr files disguised as financial documents. Until March 2025, attackers spread these files via Skype, but after the platform’s shutdown, they shifted to alternative delivery channels.

Discovery and Targets

Researchers at Kaspersky have identified the malware, dubbed GodRAT, which primarily targets small and medium-sized businesses—particularly trading and brokerage firms—in the UAE, Hong Kong, Jordan, and Lebanon.

The source code of GodRAT first surfaced in July 2024 on a popular multi-scanner service. Once installed on a victim’s device, the trojan collects details about:

the operating system
local hostname
malicious process name and ID
user account information
installed security software

Capabilities and Plugins

GodRAT is modular and supports additional plugins. In analyzed incidents, attackers deployed the FileManager plugin to navigate infected systems, as well as credential-stealing malware to extract login data from Chrome and Microsoft Edge.

In addition, threat actors often paired GodRAT with AsyncRAT, using the latter as a secondary implant to maintain long-term access to compromised machines.

Builder Tool and Steganography

The malware archive, “GodRAT V3.5_______dll.rar,” also contained a builder tool that lets attackers generate customized versions of GodRAT. This builder allows them to embed the malicious payload into legitimate files.

Furthermore, attackers employed steganography, hiding shellcode within an image file that appeared to contain financial data.

Links to Previous Malware

“GodRAT is an evolved version of AwesomePuppet, which we discovered in 2023 and which is likely linked to the Winnti cybergroup,” explained Leonid Bezvershenko, Senior Expert at Kaspersky GReAT.

“The connection between these malware strains is evident from their distribution methods, specific command-line parameters, code similarities with the long-active Gh0st RAT, and shared artifacts. Attackers frequently customize and repurpose old implants to maximize victim reach. This newly discovered trojan confirms that even tools with decades-long histories can remain relevant in today’s cyberthreat landscape.”

Positive Technologies Analyzes the Toolset of APT Group Goffee

Specialists at Positive Technologies have revealed details of a previously undocumented toolset used by the hacker group Goffee (also known as Paper Werewolf). According to the researchers, these tools were deployed in the later stages of attacks, enabling the group to maintain long-term persistence inside victim networks while avoiding detection.

Flipper Developers Deny Existence of “Secret Firmware” for Hacking Cars

The issue of car theft using the Flipper Zero has resurfaced in global headlines. This time, hackers claim to be selling a “secret firmware” for the device that allegedly works against cars from Ford, Audi, Volkswagen, Subaru, Hyundai, Kia, and several other manufacturers. The developers behind Flipper Zero say these

RapperBot Botnet Dismantled, Creator Charged

The U.S. Department of Justice has charged the alleged developer and administrator of the RapperBot botnet, a Mirai-based network rented out to cybercriminals for large-scale DDoS attacks. The botnet itself was seized by law enforcement in early August during Operation PowerOff. Origins and Evolution RapperBot—also known as Eleven

PyPI Combats Attacks Based on Domain Reclaiming

The developers of the Python Package Index (PyPI) have announced new measures to combat domain reclaiming attacks—an overlooked threat that allows malicious actors to hijack user accounts through password resets. As the official repository for Python packages, PyPI is a critical resource for software developers, project maintainers, and companies