GodRAT Emerges: A New Remote Access Trojan Poses a Threat to Businesses

Experts at Kaspersky Lab have uncovered a new remote access trojan, GodRAT, which is being distributed through .scr files disguised as financial documents. Until March 2025, attackers relied on Skype to deliver the malware, before shifting to alternative distribution channels. The primary victims of these attacks have been small and medium-sized enterprises, most notably trading and brokerage firms in the UAE, Hong Kong, Jordan, and Lebanon.

The source code of GodRAT had already been uploaded to a popular multi-scanner service as early as July 2024. Once a device was infected, the malware exfiltrated details about the operating system, hostname, malicious process and its ID, as well as information on the active user account and installed security software.

GodRAT also supports modular extensions. In observed attacks, adversaries deployed the FileManager plugin for system reconnaissance and credential stealers targeting browsers such as Chrome and Microsoft Edge. Simultaneously, attackers installed AsyncRAT as a secondary implant, enabling prolonged persistence within the compromised environment.

To conceal their activities, the attackers used a builder embedded within the archive “GodRAT V3.5_______dll.rar”, which allowed them to inject malicious payloads into legitimate files. They also employed steganography, hiding shellcode inside images disguised as financial documents.

According to researchers, GodRAT appears to be an evolution of the AwesomePuppet malware, first identified in 2023 and believed to be associated with the Winnti cyber group. This attribution is supported by overlapping distribution methods, command-line parameters, code similarities with the infamous Gh0st RAT, and recurring artifacts. Specialists emphasize that even tools with a long operational history continue to play a role in today’s cyber threat landscape.