- Cybercriminals are exploiting the Godot Engine in a new malware campaign.
- The GodLoader campaign uses GitHub and BitBucket to distribute malware.
If you’re working from home, chances are you share your computer with family members—maybe even a gamer or two. What you might not know is that a popular open-source game engine, Godot Engine, is being misused in a new malware campaign called GodLoader, which has already infected over 17,000 systems since June 2024.
Cybercriminals have found a clever way to exploit Godot Engine to run malicious code, slipping under the radar of most antivirus software. According to Check Point, “The technique remains undetected by almost all antivirus engines in VirusTotal.” That means your computer could be at risk, especially if it’s being used for both work and gaming.
The Godot Engine, a powerful game development tool, is being targeted because of its flexibility and platform-agnostic nature, allowing malware to spread stealthily across multiple systems. Threat actors are taking advantage of the trust placed in open-source platforms, using the engine’s capabilities to execute devastating cross-platform attacks.
How attackers are spreading GodLoader
This malware operation uses GitHub as a distribution channel, where attackers create hundreds of fake repositories and accounts to make their malware appear authentic. The repositories host Godot Engine executables—files that act as a gateway for malware such as RedLine Stealer and XMRig, a cryptocurrency miner. By using legitimate-looking GitHub repositories and accounts, attackers make it difficult for unsuspecting users to discern the threat. The repositories were released in waves, targeting not only gamers but also developers and general users, illustrating the attackers’ ability to cast a wide net.
The attacks, observed on September 12, September 14, September 29, and October 3, 2024, have introduced a new level of sophistication. Godot Engine executables, also referred to as pack files (.PCK), are exploited to deliver the loader malware. The loader downloads and executes final-stage payloads from Bitbucket repositories, ranging from data-stealing malware like RedLine Stealer to resource-intensive tools like XMRig.
GodLoader’s ability to evade detection is what makes it particularly dangerous. The malware can bypass sandboxes and virtual environments designed for malware analysis. It can manipulate Microsoft Defender Antivirus by adding the entire C:\ drive to the exclusions list, effectively neutralising the security software. While Windows systems are the primary targets, experts believe that adapting the malware to macOS or Linux systems would require minimal effort. This cross-platform flexibility broadens the risk, making the campaign more effective.
Why WfH workers should be concerned
GodLoader poses particularly alarming risks to folks who share their home computers with gamers. Attackers can tamper with legitimate Godot-built games by obtaining the encryption keys used to extract game files. This means that downloading a seemingly harmless game from an untrusted source could bring malware directly into a system.
Work-from-home setups are particularly vulnerable because the lines between personal and professional use blur. Malware doesn’t distinguish between gaming and work files, meaning sensitive work documents, login credentials, and other critical information could be at risk. For remote workers who use their computers for both gaming and accessing corporate networks, the consequences could extend beyond personal loss to jeopardise company data.
The broader implications highlight a growing trend of attackers targeting trusted platforms and brands. Cybercriminals frequently target open-source tools and widely used frameworks due to their popularity and perceived legitimacy. In this case, the Godot Engine, which is trusted by developers worldwide, has inadvertently become a tool in a bigger malicious operation.
The role of open-source security and trust
This campaign is a wake-up call for both individual users and the tech sector as a whole. According to Eli Smadja, security research group manager at Check Point Software Technologies, “The Godot Engine’s flexibility has made it a target for cybercriminals, enabling stealthy, cross-platform malware like GodLoader to spread rapidly by exploiting trust in open-source platforms.” The incident emphasises the significance of proactive cybersecurity measures for Godot’s 1.2 million game users, and anyone sharing a computer with a gamer.
The Godot Security Team responded to the findings, reminding users that malicious programs can be written in any programming language. They emphasised the importance of downloading software only from trusted sources and double-checking executables signed by reputable parties. They also urged users to avoid cracked software, which frequently has hidden risks. Additionally, the team advocates for stronger encryption methods, such as asymmetric-key algorithms, to protect games and systems from tampering.
Steps to remain secure
Individuals and businesses must adopt proactive risk management measures. It is critical to only download software from official sources, verify executable signatures, and steer clear of cracked software. For work-from-home employees, separating personal and professional device use can add an essential layer of security. Keeping antivirus software up to date is equally important, as is investing in advanced solutions capable of detecting unconventional malware techniques.
The GodLoader campaign serves as a reminder of cybercriminals’ continual innovation. By exploiting trusted tools like Godot Engine and using deceptive distribution methods, they’ve infiltrated systems on a massive scale. For those working from home, particularly on shared devices, vigilance and robust security practices are not just recommended—they are imperative.
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Digital Transformation Week, IoT Tech Expo, Blockchain Expo, and AI & Big Data Expo.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
