Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

GodRAT remote access trojan delivery via malicious .SCR files

Malware Activity
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

The GodRAT remote access trojan is being delivered to financial institutions through malicious .SCR files, creating an active infection chain that can steal data and stage additional payloads. The lure uses Skype and steganography to hide shellcode inside image files before fetching the malware from a C2 server. Activity has been observed since September 9, 2024 and as recently as August 12, 2025, with targets across Hong Kong, the UAE, Lebanon, Malaysia, and Jordan.

Related Happenings

Silver Fox South Asia phishing campaign

Campaign
H score39 First: 24.03.2026 18:00 Last: 24.03.2026 18:00 Sources 1

About this happening: The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...

Open Happening

Tomiris multi-language malware modules using Discord and Telegram C2

Malware Activity
H score16 First: 01.12.2025 07:07 Last: 01.12.2025 07:07 Sources 1

About this happening: The **Tomiris** malware set is now using **Discord** and **Telegram** as C2, making its post-exploitation traffic harder to spot and letting operators blend in with legitimate ser...

Open Happening

BADAUDIO first-stage downloader activity

Malware Activity
H score36 First: 21.11.2025 12:42 Last: 21.11.2025 12:42 Sources 1

About this happening: The **BADAUDIO** malware is now documented as a **first-stage downloader** that can **decrypt and execute AES-encrypted payloads** from a hard-coded **C2 server**, increasing the...

Open Happening

Kimsuky HttpTroy backdoor activity against South Korean users

Malware Activity
H score16 First: 05.11.2025 04:00 Last: 05.11.2025 04:00 Sources 1

About this happening: **Kimsuky** has been tied to fresh **March and April 2026** campaigns against **South Korean military and corporate entities**, using **fake security-software pages** and a **coun...

Open Happening

Airstalk malware abusing AirWatch MDM APIs for covert C2

Malware Activity
H score22 First: 31.10.2025 18:08 Last: 31.10.2025 18:08 Sources 1

About this happening: The **Airstalk** malware activity linked to **CL-STA-1009** is abusing **AirWatch/Workspace ONE MDM APIs** for covert **command-and-control** and data theft, increasing stealth ri...

Open Happening

Timeline

  1. 19.08.2025 17:33 1 articles · 9mo ago

    GodRAT artifacts detected across multiple regions

    Campaign Scope Update

    Screen saver artifacts carrying GodRAT are detected targeting Hong Kong, the United Arab Emirates, Lebanon, Malaysia, and Jordan, showing the campaign's geographic spread across multiple countries and territories.

    Show sources
    Open in new tab
  3. 19.08.2025 17:33 1 articles · 9mo ago

    Technical analysis discloses a new GodRAT campaign

    Initial Disclosure

    A technical analysis identifies a campaign targeting financial institutions, including trading and brokerage firms, that distributes malicious .SCR files disguised as financial documents via Skype messenger and notes GodRAT client and builder source code uploaded to VirusTotal in late July 2024.

    Show sources
    Open in new tab