Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

GodRAT remote access trojan delivery via malicious .SCR files

Malware Activity
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

The GodRAT remote access trojan is being delivered to financial institutions through malicious .SCR files, creating an active infection chain that can steal data and stage additional payloads. The lure uses Skype and steganography to hide shellcode inside image files before fetching the malware from a C2 server. Activity has been observed since September 9, 2024 and as recently as August 12, 2025, with targets across Hong Kong, the UAE, Lebanon, Malaysia, and Jordan.

Related Happenings

Silver Fox South Asia phishing campaign

Campaign
First: 24.03.2026 18:00 Last: 24.03.2026 18:00 Sources 1

About this happening: The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...

Open Happening

Tomiris multi-language malware modules using Discord and Telegram C2

Malware Activity
First: 01.12.2025 07:07 Last: 01.12.2025 07:07 Sources 1

About this happening: The **Tomiris** malware set is now using **Discord** and **Telegram** as C2, making its post-exploitation traffic harder to spot and letting operators blend in with legitimate ser...

Open Happening

BADAUDIO first-stage downloader activity

Malware Activity
First: 21.11.2025 12:42 Last: 21.11.2025 12:42 Sources 1

About this happening: The **BADAUDIO** malware is now documented as a **first-stage downloader** that can **decrypt and execute AES-encrypted payloads** from a hard-coded **C2 server**, increasing the...

Open Happening

Airstalk malware abusing AirWatch MDM APIs for covert C2

Malware Activity
First: 31.10.2025 18:08 Last: 31.10.2025 18:08 Sources 1

About this happening: The **Airstalk** malware activity linked to **CL-STA-1009** is abusing **AirWatch/Workspace ONE MDM APIs** for covert **command-and-control** and data theft, increasing stealth ri...

Open Happening

ChaosBot Rust backdoor using Discord C2 and phishing delivery

Malware Activity
First: 13.10.2025 08:12 Last: 13.10.2025 08:12 Sources 1

About this happening: **ChaosBot** is a newly disclosed **Rust-based backdoor** that gives operators **reconnaissance** and **arbitrary command execution** on compromised hosts, increasing the risk of...

Open Happening

Timeline

  1. 19.08.2025 17:33 1 articles · 9mo ago

    GodRAT artifacts detected across multiple regions

    Campaign Scope Update

    Screen saver artifacts carrying GodRAT are detected targeting Hong Kong, the United Arab Emirates, Lebanon, Malaysia, and Jordan, showing the campaign's geographic spread across multiple countries and territories.

    Show sources
    Open in new tab
  3. 19.08.2025 17:33 1 articles · 9mo ago

    Technical analysis discloses a new GodRAT campaign

    Initial Disclosure

    A technical analysis identifies a campaign targeting financial institutions, including trading and brokerage firms, that distributes malicious .SCR files disguised as financial documents via Skype messenger and notes GodRAT client and builder source code uploaded to VirusTotal in late July 2024.

    Show sources
    Open in new tab